ci: Don't hardcode the cert identity generation on attestations

viccuad · viccuad · commit a142fc000bc5 · 2026-03-19T12:37:26.000+01:00
This is useful for debugging from forks.

Signed-off-by: Víctor Cuadrado Juan &lt;vcuadradojuan@suse.de&gt;
diff --git a/.github/workflows/attestation.yml b/.github/workflows/attestation.yml
@@ -112,7 +112,7 @@ jobs:
           cosign verify-blob \
             --bundle ${{ inputs.component }}-attestation-${{ inputs.arch }}-provenance.intoto.jsonl.bundle.sigstore \
             --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
-            --certificate-identity="https://github.com/${{github.repository_owner}}/kubewarden-controller/.github/workflows/attestation.yml@${{ github.ref }}" \
+            --certificate-identity="${{ github.server_url }}/${{ github.workflow_ref }}" \
             ${{ inputs.component }}-attestation-${{ inputs.arch }}-provenance.intoto.jsonl
 
           cosign sign-blob --yes \
@@ -121,7 +121,7 @@ jobs:
           cosign verify-blob \
             --bundle ${{ inputs.component }}-attestation-${{ inputs.arch }}-sbom.json.bundle.sigstore \
             --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
-            --certificate-identity="https://github.com/${{github.repository_owner}}/kubewarden-controller/.github/workflows/attestation.yml@${{ github.ref }}" \
+            --certificate-identity="${{ github.server_url }}/${{ github.workflow_ref }}" \
             ${{ inputs.component }}-attestation-${{ inputs.arch }}-sbom.json
 
       - name: Upload SBOMs as artifacts
