From 17751ce6ef2f8fb691018a25c0ed3ec9f846bc23 Mon Sep 17 00:00:00 2001
From: Sean <sconroy@redhat.com>
Date: Wed, 11 Oct 2023 11:40:13 +0100
Subject: [PATCH] Add step to tag image as `latest-validated` after validation

This commit introduces a new job in the GitHub Actions workflow to tag the image as `latest-validated`
if it passes the validation. This ensures that only validated images receive this
tag, providing a safer option than using the `latest` tag, which may include failed validated  images.

resloves: ec-63
signed off by: Sean Conroy sconroy@redhat.com
---
 .github/workflows/release.yaml | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 14e67fd3..0a51baa1 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -83,12 +83,33 @@ jobs:
       registry-password: ${{ secrets.GITHUB_TOKEN }}
 
   validate:
-    needs: provenance
+    needs: [provenance, build]
     runs-on: ubuntu-latest
     steps:
       - name: Validate image
         uses: enterprise-contract/action-validate-image@latest
         with:
-          image: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_REPO }}:${{ env.DIGEST }}
+          image: ${{ needs.build.outputs.image }}@${{ needs.build.outputs.digest }}
           identity: https:\/\/github\.com\/(slsa-framework\/slsa-github-generator|${{ github.repository_owner }}\/${{ github.event.repository.name }})\/
           issuer: https://token.actions.githubusercontent.com
+    
+  Add-Tag-Validate:
+    runs-on: ubuntu-latest
+    needs: [validate, build]
+    steps:  
+      # needed to login into ghcr.io and push the tag
+      - name: Log in to ghcr
+        uses: redhat-actions/podman-login@9184318aae1ee5034fbfbacc0388acf12669171f # v1
+        with:
+          registry: ${{ env.IMAGE_REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+
+      - name: Pull image using Buildah
+        run: buildah pull ${{ needs.build.outputs.image }}@${{ needs.build.outputs.digest }}
+
+      - name: Tag image with latest-validated
+        run: buildah tag ${{ needs.build.outputs.image }}@${{ needs.build.outputs.digest }} ${{ needs.build.outputs.image }}:latest-validated
+
+      - name: Push latest-validated image tag 
+        run: buildah push ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_REPO }}:latest-validated
\ No newline at end of file