ci: fix failing release attestation (cherry-pick #11107) (#11120)

ci: fix failing release attestation (#11107) * ci: fix failing release attestation * fix --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>
2024-08-29 13:29:47 +02:00
parent 091e4d3e4c
commit 8326e1490c
5 changed files with 20 additions and 11 deletions
--- a/.github/actions/docker-push-variables/action.yml
+++ b/.github/actions/docker-push-variables/action.yml
@ -29,9 +29,9 @@ outputs:
  imageTags:
    description: "Docker image tags"
    value: ${{ steps.ev.outputs.imageTags }}
-  imageNames:
+  attestImageNames:
-    description: "Docker image names"
+    description: "Docker image names used for attestation"
-    value: ${{ steps.ev.outputs.imageNames }}
+    value: ${{ steps.ev.outputs.attestImageNames }}
  imageMainTag:
    description: "Docker image main tag"
    value: ${{ steps.ev.outputs.imageMainTag }}
--- a/.github/actions/docker-push-variables/push_vars.py
+++ b/.github/actions/docker-push-variables/push_vars.py
@ -51,15 +51,24 @@ else:
        ]
 image_main_tag = image_tags[0].split(":")[-1]
-image_tags_rendered = ",".join(image_tags)
+
-image_names_rendered = ",".join(set(name.split(":")[0] for name in image_tags))
+
 def get_attest_image_names(image_with_tags: list[str]):
    """Attestation only for GHCR"""
    image_tags = []
    for image_name in set(name.split(":")[0] for name in image_with_tags):
        if not image_name.startswith("ghcr.io"):
            continue
        image_tags.append(image_name)
    return ",".join(set(image_tags))
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
    print(f"shouldBuild={should_build}", file=_output)
    print(f"sha={sha}", file=_output)
    print(f"version={version}", file=_output)
    print(f"prerelease={prerelease}", file=_output)
-    print(f"imageTags={image_tags_rendered}", file=_output)
+    print(f"imageTags={','.join(image_tags)}", file=_output)
-    print(f"imageNames={image_names_rendered}", file=_output)
+    print(f"attestImageNames={get_attest_image_names(image_tags)}", file=_output)
    print(f"imageMainTag={image_main_tag}", file=_output)
    print(f"imageMainName={image_tags[0]}", file=_output)
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -261,7 +261,7 @@ jobs:
        id: attest
        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
        with:
-          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true
  pr-comment:
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -115,7 +115,7 @@ jobs:
        id: attest
        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
        with:
-          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true
  build-binary:
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -58,7 +58,7 @@ jobs:
      - uses: actions/attest-build-provenance@v1
        id: attest
        with:
-          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true
  build-outpost:
@ -122,7 +122,7 @@ jobs:
      - uses: actions/attest-build-provenance@v1
        id: attest
        with:
-          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true
  build-outpost-binary: