fix(ci): fix broken release, address issue during attestation step

flavio · flavio · commit 7ad26ee4679d · 2026-03-18T19:08:24.000+01:00
The SLSA provenance predicate was changed to a different value, this
caused a digest to be empty, leading to a cascaded failure.

- Replace `slsa.dev/provenance/v0.2` with `v1` (`docker/build-push-action` v6 generates v1): this is the
  actual fix
- Add empty-digest guards on attestation, provenance, and SBOM lookup steps: this will
  provide a more clear message if something like that happens again.
- Add missing `-r` flag to jq in SBOM digest step: this is a minor
  improvemnt. It prevents double quuotes to land into the `crane`
  command later on.

Signed-off-by: Flavio Castelli &lt;fcastelli@suse.com&gt;
Assisted-by: Claude Sonnet 4.6
diff --git a/.github/workflows/attestation.yml b/.github/workflows/attestation.yml
@@ -59,20 +59,32 @@ jobs:
           | jq -r '.manifests[]
             | select(.annotations["vnd.docker.reference.type"] == "attestation-manifest")
             | .digest')
+          if [[ -z "${DIGEST}" ]]; then
+            echo "ERROR: No attestation manifest found for ${{ inputs.component }} (${{ inputs.arch }})"
+            exit 1
+          fi
           echo "ATTESTATION_MANIFEST_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
       - name: Find provenance manifest digest
         run: |
           set -e
           DIGEST=$(crane manifest ghcr.io/${{ github.repository_owner }}/${{ inputs.component }}@${{ env.ATTESTATION_MANIFEST_DIGEST }} |
                       jq -r '.layers[]
-                        | select(.annotations["in-toto.io/predicate-type"] == "https://slsa.dev/provenance/v0.2")
+                        | select(.annotations["in-toto.io/predicate-type"] == "https://slsa.dev/provenance/v1")
                         | .digest')
+          if [[ -z "${DIGEST}" ]]; then
+            echo "ERROR: No SLSA provenance layer found in attestation manifest for ${{ inputs.component }} (${{ inputs.arch }})"
+            exit 1
+          fi
           echo "PROVENANCE_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
       - name: Find SBOM manifest layer digest
         run: |
           set -e
           DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/${{ inputs.component }}@${{ env.ATTESTATION_MANIFEST_DIGEST}} |  \
-            jq '.layers | map(select(.annotations["in-toto.io/predicate-type"] == "https://spdx.dev/Document")) | map(.digest) | join(" ")')
+            jq -r '.layers | map(select(.annotations["in-toto.io/predicate-type"] == "https://spdx.dev/Document")) | map(.digest) | join(" ")')
+          if [[ -z "${DIGEST}" ]]; then
+            echo "ERROR: No SBOM layer found in attestation manifest for ${{ inputs.component }} (${{ inputs.arch }})"
+            exit 1
+          fi
           echo "SBOM_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
 
       # We need to upload provenance and SBOM files, plus their signatures under the GitHub Release page.
