diff --git a/publish-image-index-manifest/README.md b/publish-image-index-manifest/README.md index 24f3a25..a71f0d5 100644 --- a/publish-image-index-manifest/README.md +++ b/publish-image-index-manifest/README.md @@ -29,5 +29,6 @@ This action creates an image index manifest, publishes it, and signs it. It does ### Outputs - `image-index-uri`: The final image index URI, eg. `oci.stackable.tech/spd/kafka:3.4.1-stackable0.0.0-dev`. +- `image-index-manifest-digest`: The digest (`sha256:...`) of the pushed image index manifest, used as input for SLSA provenance generation. [publish-image-index-manifest]: ./action.yaml diff --git a/publish-image-index-manifest/action.yaml b/publish-image-index-manifest/action.yaml index 3de100c..49167cc 100644 --- a/publish-image-index-manifest/action.yaml +++ b/publish-image-index-manifest/action.yaml @@ -41,6 +41,11 @@ outputs: image-index-uri: description: The Image Index URI. value: ${{ steps.create-index.outputs.IMAGE_INDEX_URI }} + image-index-manifest-digest: + description: | + The digest (sha256:...) of the pushed image index manifest. Used as input + for SLSA provenance generation. + value: ${{ steps.create-index.outputs.IMAGE_INDEX_MANIFEST_DIGEST }} runs: using: composite steps: @@ -94,6 +99,11 @@ runs: docker manifest create "$IMAGE_INDEX_URI" ${AMEND_OPTIONS[@]} docker manifest push "$IMAGE_INDEX_URI" + # Get the image index manifest digest and expose it as an output, so it + # can be fed into SLSA provenance generation. + DIGEST=$("$GITHUB_ACTION_PATH/../.scripts/actions/get_manifest_digest.sh" "$IMAGE_INDEX_URI") + echo "IMAGE_INDEX_MANIFEST_DIGEST=$DIGEST" | tee -a "$GITHUB_OUTPUT" + - name: Sign Image Index Manifest shell: bash env: @@ -101,14 +111,12 @@ runs: RETRY_COUNT: ${{ inputs.cosign-retries }} RETRY_ARGS: --verbose IMAGE_INDEX_URI: ${{ steps.create-index.outputs.IMAGE_INDEX_URI }} + DIGEST: ${{ steps.create-index.outputs.IMAGE_INDEX_MANIFEST_DIGEST }} IMAGE_REPOSITORY: ${{ inputs.image-repository }} REGISTRY_URI: ${{ inputs.image-registry-uri }} run: | set -euo pipefail - # Get the image index manifest digest - DIGEST=$("$GITHUB_ACTION_PATH/../.scripts/actions/get_manifest_digest.sh" "$IMAGE_INDEX_URI") - # Construct the image repo digest, which for example contains: # oci.stackable.tech/sdp/kafka@sha256:91... IMAGE_REPO_DIGEST="$REGISTRY_URI/$IMAGE_REPOSITORY@$DIGEST"