2020 env :
2121 CRANE_VERSION : v0.20.5
2222 CRANE_CHECKSUM : ad4cd9af2568c62c97e346de6d1295ee8c6ce3341f7b71cf02d41292b4532680
23+ COMPONENT : ${{ inputs.component }}
24+ ARCH : ${{ inputs.arch }}
25+ REPOSITORY_OWNER : ${{ github.repository_owner }}
26+ GIT_REF : ${{ github.ref }}
2327
2428 steps :
2529 - name : Install cosign
@@ -50,36 +54,36 @@ jobs:
5054 working-directory : ${{ runner.temp }}/digests
5155 run : |
5256 set -e
53- DIGEST=$(cat ${{ inputs.component }}-${{ inputs.arch }}. txt)
57+ DIGEST=" $(cat -- "$COMPONENT-$ARCH. txt")"
5458 echo "DIGEST=${DIGEST}" >> "$GITHUB_ENV"
5559name : Find attestation digest
5660 run : |
5761 set -e
58- DIGEST=$(crane manifest ghcr.io/${{ github.repository_owner }}/${{ inputs.component }}@${{ env. DIGEST }} \
62+ DIGEST=$(crane manifest ghcr.io/$REPOSITORY_OWNER/$COMPONENT@$ DIGEST \
5963 | jq -r '.manifests[]
6064 | select(.annotations["vnd.docker.reference.type"] == "attestation-manifest")
6165 | .digest')
6266 if [[ -z "${DIGEST}" ]]; then
63- echo "ERROR: No attestation manifest found for ${{ inputs.component }} (${{ inputs.arch }} )"
67+ echo "ERROR: No attestation manifest found for $COMPONENT ($ARCH )"
6468 exit 1
6569 fi
6670 echo "ATTESTATION_MANIFEST_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
6771name : Find provenance manifest digest
6872 run : |
6973 set -e
70- DIGEST=$(crane manifest ghcr.io/${{ github.repository_owner }}/${{ inputs.component }}@${{ env. ATTESTATION_MANIFEST_DIGEST }} |
74+ DIGEST=$(crane manifest ghcr.io/$REPOSITORY_OWNER/$COMPONENT@$ ATTESTATION_MANIFEST_DIGEST |
7175 jq -r '.layers[]
7276 | select(.annotations["in-toto.io/predicate-type"] == "https://slsa.dev/provenance/v1")
7377 | .digest')
7478 if [[ -z "${DIGEST}" ]]; then
75- echo "ERROR: No SLSA provenance layer found in attestation manifest for ${{ inputs.component }} (${{ inputs.arch }} )"
79+ echo "ERROR: No SLSA provenance layer found in attestation manifest for $COMPONENT ($ARCH )"
7680 exit 1
7781 fi
7882 echo "PROVENANCE_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
7983name : Find SBOM manifest layer digest
8084 run : |
8185 set -e
82- DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/${{ inputs.component }}@${{ env. ATTESTATION_MANIFEST_DIGEST}} | \
86+ DIGEST=$(crane manifest ghcr.io/$REPOSITORY_OWNER/$COMPONENT@$ ATTESTATION_MANIFEST_DIGEST | \
8387 jq -r '.layers
8488 | map(select(.annotations["in-toto.io/predicate-type"] == "https://spdx.dev/Document"))
8589 | map(.digest)
8892 else error("ERROR: Multiple SBOM layers found in attestation manifest")
8993 end')
9094 if [[ -z "${DIGEST}" ]]; then
91- echo "ERROR: No SBOM layer found in attestation manifest for ${{ inputs.component }} (${{ inputs.arch }} )"
95+ echo "ERROR: No SBOM layer found in attestation manifest for $COMPONENT ($ARCH )"
9296 exit 1
9397 fi
9498 echo "SBOM_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
@@ -99,30 +103,30 @@ jobs:
99103 - name : Download provenance and SBOM files
100104 run : |
101105 set -e
102- crane blob ghcr.io/${{github.repository_owner}}/${{ inputs.component }}@${{ env. PROVENANCE_DIGEST}} \
103- > ${{ inputs.component }} -attestation-${{ inputs.arch }} -provenance.intoto.jsonl
104- crane blob ghcr.io/${{github.repository_owner}}/${{ inputs.component }}@${{ env. SBOM_DIGEST}} \
105- > ${{ inputs.component }} -attestation-${{ inputs.arch }} -sbom.json
106+ crane blob ghcr.io/$REPOSITORY_OWNER/$COMPONENT@$ PROVENANCE_DIGEST \
107+ > $COMPONENT -attestation-$ARCH -provenance.intoto.jsonl
108+ crane blob ghcr.io/$REPOSITORY_OWNER/$COMPONENT@$ SBOM_DIGEST \
109+ > $COMPONENT -attestation-$ARCH -sbom.json
106110name : Sign provenance and SBOM files
107111 run : |
108112 set -e
109113 cosign sign-blob --yes \
110- --bundle ${{ inputs.component }} -attestation-${{ inputs.arch }} -provenance.intoto.jsonl.bundle.sigstore \
111- ${{ inputs.component }} -attestation-${{ inputs.arch }} -provenance.intoto.jsonl
114+ --bundle $COMPONENT -attestation-$ARCH -provenance.intoto.jsonl.bundle.sigstore \
115+ $COMPONENT -attestation-$ARCH -provenance.intoto.jsonl
112116 cosign verify-blob \
113- --bundle ${{ inputs.component }} -attestation-${{ inputs.arch }} -provenance.intoto.jsonl.bundle.sigstore \
117+ --bundle $COMPONENT -attestation-$ARCH -provenance.intoto.jsonl.bundle.sigstore \
114118 --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
115- --certificate-identity="https://github.com/${{github.repository_owner}} /kubewarden-controller/.github/workflows/attestation.yml@${{ github.ref }} " \
116- ${{ inputs.component }} -attestation-${{ inputs.arch }} -provenance.intoto.jsonl
119+ --certificate-identity="https://github.com/$REPOSITORY_OWNER /kubewarden-controller/.github/workflows/attestation.yml@$GIT_REF " \
120+ $COMPONENT -attestation-$ARCH -provenance.intoto.jsonl
117121
118122 cosign sign-blob --yes \
119- --bundle ${{ inputs.component }} -attestation-${{ inputs.arch }} -sbom.json.bundle.sigstore \
120- ${{ inputs.component }} -attestation-${{ inputs.arch }} -sbom.json
123+ --bundle $COMPONENT -attestation-$ARCH -sbom.json.bundle.sigstore \
124+ $COMPONENT -attestation-$ARCH -sbom.json
121125 cosign verify-blob \
122- --bundle ${{ inputs.component }} -attestation-${{ inputs.arch }} -sbom.json.bundle.sigstore \
126+ --bundle $COMPONENT -attestation-$ARCH -sbom.json.bundle.sigstore \
123127 --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
124- --certificate-identity="https://github.com/${{github.repository_owner}} /kubewarden-controller/.github/workflows/attestation.yml@${{ github.ref }} " \
125- ${{ inputs.component }} -attestation-${{ inputs.arch }} -sbom.json
128+ --certificate-identity="https://github.com/$REPOSITORY_OWNER /kubewarden-controller/.github/workflows/attestation.yml@$GIT_REF " \
129+ $COMPONENT -attestation-$ARCH -sbom.json
126130
127131name : Upload SBOMs as artifacts
128132 uses : actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
0 commit comments