From 49f938be347f5dfb478dfe3f1159f41b365ad2d2 Mon Sep 17 00:00:00 2001
From: Tim Hardeck <thardeck@suse.com>
Date: Mon, 3 Feb 2025 11:40:22 +0100
Subject: [PATCH] Use Docker digest instead of tag to attest provenance

---
 .github/workflows/release.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 836f297a52..3360fb5988 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -143,12 +143,15 @@ jobs:
           CURRENT_TAG: ${{ github.ref_name }}
         run: |
           for IMG_NAME in $(yq e '.dockers[].image_templates[0]' .goreleaser.yaml | grep PRIME_REGISTRY | sed "s/{{ .Env.PRIME_REGISTRY }}/${PRIME_REGISTRY}/g" | sed "s/{{ .Tag }}/${CURRENT_TAG}/g"); do
+            # Extract Docker image reference plus digest from local image
+            IMAGE=$(docker inspect --format='{{index .RepoDigests 0}}' ${IMG_NAME})
+
             max_retries=3
             retry_delay=5
             i=0
 
             while [ "${i}" -lt "${max_retries}" ]; do
-                if slsactl download provenance --format=slsav1 "${IMG_NAME}" > provenance-slsav1.json; then
+                if slsactl download provenance --format=slsav1 "${IMAGE}" > provenance-slsav1.json; then
                     break
                 fi
                 if [ "${i}" -eq "$(( max_retries - 1 ))" ]; then
@@ -159,7 +162,7 @@ jobs:
                 sleep "${retry_delay}"
             done
 
-            cosign attest --yes --predicate provenance-slsav1.json --type slsaprovenance1 "${IMG_NAME}"
+            cosign attest --yes --predicate provenance-slsav1.json --type slsaprovenance1 "${IMAGE}"
           done
 
       - name: Upload charts to release