From 03e66cab91e0548770cc4c70ec89d995c735f26c Mon Sep 17 00:00:00 2001
From: Ian Lewis <ianlewis@google.com>
Date: Wed, 28 Dec 2022 02:36:08 +0900
Subject: [PATCH] Update golang image sha (#1407)

* Update golang image sha

Signed-off-by: Ian Lewis <ianlewis@google.com>

* grep only specific output

Signed-off-by: Ian Lewis <ianlewis@google.com>

* Parse the JSON output

Signed-off-by: Ian Lewis <ianlewis@google.com>

Signed-off-by: Ian Lewis <ianlewis@google.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
---
 .github/actions/detect-workflow/Dockerfile    |  2 +-
 .../workflows/scripts/verify-base-images.sh   | 23 ++++++++++---------
 2 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/.github/actions/detect-workflow/Dockerfile b/.github/actions/detect-workflow/Dockerfile
index 401967f1b7..27ee057b54 100644
--- a/.github/actions/detect-workflow/Dockerfile
+++ b/.github/actions/detect-workflow/Dockerfile
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM golang:1.19.4@sha256:cfaad8202aed5121121dfe3a252e98d5c89cc67fc456cc69fe70eb7dcc1b8cff as builder
+FROM golang:1.19.4@sha256:941582ed5a1189ce2c8cf6a806cfb8f5924694e1f58856869f98364315de6231 as builder
 
 WORKDIR /app
 COPY . /app
diff --git a/.github/workflows/scripts/verify-base-images.sh b/.github/workflows/scripts/verify-base-images.sh
index bef054b6f4..0488a85392 100755
--- a/.github/workflows/scripts/verify-base-images.sh
+++ b/.github/workflows/scripts/verify-base-images.sh
@@ -17,28 +17,29 @@ set -euo pipefail
 
 # NOTE: Use read to avoid whitespace issues.
 find . \( ! -name vendor -o -prune \) \( ! -name node_modules -o -prune \) -type f -name Dockerfile -print0 | while IFS= read -r -d '' f; do
-    echo "Checking $f"
-    grep "^FROM " "$f" | while IFS= read -r line; do
-        image_full=$(echo "$line" | awk '{ print $2 }')
-        image_name=$(echo "$image_full" | cut -d '@' -f 1)
-        image_sha=$(echo "$image_full" | cut -d '@' -f 2- | cut -d ':' -f 2-)
+    echo "Checking ${f}"
+    grep "^FROM " "${f}" | while IFS= read -r line; do
+        image_full=$(echo "${line}" | awk '{ print $2 }')
+        image_name=$(echo "${image_full}" | cut -d '@' -f 1 | cut -d ':' -f 1)
+        image_tag=$(echo "${image_full}" | cut -d '@' -f 1 | cut -d ':' -f 2)
+        image_sha=$(echo "${image_full}" | cut -d '@' -f 2- | cut -d ':' -f 2-)
 
-        echo "Verifying base image $image_full"
+        echo "Verifying base image ${image_full}"
 
         # verify that the image contains a sha.
-        if [ "$image_sha" == "" ]; then
-            echo "\"$image_full\" should be referenced by digest."
+        if [ "${image_sha}" == "" ]; then
+            echo "\"${image_full}\" should be referenced by digest."
             exit 2
         fi
 
         # verify distroless base images.
-        if [[ "$image_name" == gcr.io/distroless/* ]]; then
+        if [[ "${image_name}" == gcr.io/distroless/* ]]; then
             # verify the image signature.
             cosign verify --key .github/workflows/scripts/distroless.pub "$image_full"
         else
             # All other base images should be signed using Docker Content Trust.
-            if ! (DOCKER_CONTENT_TRUST=1 docker trust inspect --pretty "$image_name" | grep "$image_sha"); then
-                echo "$image_full: unable to verify Docker Content Trust."
+            if ! (DOCKER_CONTENT_TRUST=1 docker trust inspect "${image_name}:${image_tag}" | jq -r ".[].SignedTags | .[] | select(.SignedTag == \"${image_tag}\") | .Digest" | grep "${image_sha}"); then
+                echo "${image_full}: unable to verify Docker Content Trust."
                 exit 2
             fi
         fi