From 835a4097eb592c3e9ecda549891a74a8298a8165 Mon Sep 17 00:00:00 2001
From: "Jens L." <jens@goauthentik.io>
Date: Thu, 29 Aug 2024 13:24:40 +0200
Subject: [PATCH] ci: fix failing release attestation (#11107)

* ci: fix failing release attestation

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 .../actions/docker-push-variables/action.yml    |  6 +++---
 .../actions/docker-push-variables/push_vars.py  | 17 +++++++++++++----
 .github/workflows/ci-main.yml                   |  2 +-
 .github/workflows/ci-outpost.yml                |  2 +-
 .github/workflows/release-publish.yml           |  4 ++--
 5 files changed, 20 insertions(+), 11 deletions(-)

diff --git a/.github/actions/docker-push-variables/action.yml b/.github/actions/docker-push-variables/action.yml
index 741a96ac30..66f5a16055 100644
--- a/.github/actions/docker-push-variables/action.yml
+++ b/.github/actions/docker-push-variables/action.yml
@@ -29,9 +29,9 @@ outputs:
   imageTags:
     description: "Docker image tags"
     value: ${{ steps.ev.outputs.imageTags }}
-  imageNames:
-    description: "Docker image names"
-    value: ${{ steps.ev.outputs.imageNames }}
+  attestImageNames:
+    description: "Docker image names used for attestation"
+    value: ${{ steps.ev.outputs.attestImageNames }}
   imageMainTag:
     description: "Docker image main tag"
     value: ${{ steps.ev.outputs.imageMainTag }}
diff --git a/.github/actions/docker-push-variables/push_vars.py b/.github/actions/docker-push-variables/push_vars.py
index 94d3b42088..8f91abbe32 100644
--- a/.github/actions/docker-push-variables/push_vars.py
+++ b/.github/actions/docker-push-variables/push_vars.py
@@ -51,15 +51,24 @@ else:
         ]
 
 image_main_tag = image_tags[0].split(":")[-1]
-image_tags_rendered = ",".join(image_tags)
-image_names_rendered = ",".join(set(name.split(":")[0] for name in image_tags))
+
+
+def get_attest_image_names(image_with_tags: list[str]):
+    """Attestation only for GHCR"""
+    image_tags = []
+    for image_name in set(name.split(":")[0] for name in image_with_tags):
+        if not image_name.startswith("ghcr.io"):
+            continue
+        image_tags.append(image_name)
+    return ",".join(set(image_tags))
+
 
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
     print(f"shouldBuild={should_build}", file=_output)
     print(f"sha={sha}", file=_output)
     print(f"version={version}", file=_output)
     print(f"prerelease={prerelease}", file=_output)
-    print(f"imageTags={image_tags_rendered}", file=_output)
-    print(f"imageNames={image_names_rendered}", file=_output)
+    print(f"imageTags={','.join(image_tags)}", file=_output)
+    print(f"attestImageNames={get_attest_image_names(image_tags)}", file=_output)
     print(f"imageMainTag={image_main_tag}", file=_output)
     print(f"imageMainName={image_tags[0]}", file=_output)
diff --git a/.github/workflows/ci-main.yml b/.github/workflows/ci-main.yml
index f70258dc7e..3a87eab950 100644
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@@ -261,7 +261,7 @@ jobs:
         id: attest
         if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         with:
-          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
           subject-digest: ${{ steps.push.outputs.digest }}
           push-to-registry: true
   pr-comment:
diff --git a/.github/workflows/ci-outpost.yml b/.github/workflows/ci-outpost.yml
index abb9f41bc0..3f8888f9ff 100644
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@@ -115,7 +115,7 @@ jobs:
         id: attest
         if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         with:
-          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
           subject-digest: ${{ steps.push.outputs.digest }}
           push-to-registry: true
   build-binary:
diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml
index bb8949650e..c0b2d66c27 100644
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -58,7 +58,7 @@ jobs:
       - uses: actions/attest-build-provenance@v1
         id: attest
         with:
-          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
           subject-digest: ${{ steps.push.outputs.digest }}
           push-to-registry: true
   build-outpost:
@@ -122,7 +122,7 @@ jobs:
       - uses: actions/attest-build-provenance@v1
         id: attest
         with:
-          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
           subject-digest: ${{ steps.push.outputs.digest }}
           push-to-registry: true
   build-outpost-binary: