From 313e926906f8b0050bcebc0c70bea2ae9978659c Mon Sep 17 00:00:00 2001 From: arewm Date: Fri, 26 Jul 2024 11:16:49 -0400 Subject: [PATCH] Ensure that Chains sees all image manifests referenced Due to a bug in Chains, it does not currently see all images produced within a matrix. In order to work around this, we can expose all images that we include in our Image Index so that Chains can generate the provenance for all of them. Signed-off-by: arewm --- task/build-image-manifest/0.1/build-image-manifest.yaml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/task/build-image-manifest/0.1/build-image-manifest.yaml b/task/build-image-manifest/0.1/build-image-manifest.yaml index e0d1a08cd7..cc6da76701 100644 --- a/task/build-image-manifest/0.1/build-image-manifest.yaml +++ b/task/build-image-manifest/0.1/build-image-manifest.yaml @@ -39,6 +39,8 @@ spec: name: IMAGE_DIGEST - description: Image repository where the built image was pushed name: IMAGE_URL + - description: List of all referenced image manifests + name: IMAGES stepTemplate: env: - name: BUILDAH_FORMAT @@ -72,6 +74,7 @@ spec: sed -i 's/^\s*short-name-mode\s*=\s*.*/short-name-mode = "disabled"/' /etc/containers/registries.conf + image_manifests="" buildah manifest create "$IMAGE" for i in $@ do @@ -82,6 +85,7 @@ spec: TOADD="$(echo $i | cut -d: -f1)@sha256:$(echo $i | cut -d: -f3)" fi echo "Adding $TOADD" + image_manifests="${image_manifests} ${TOADD}," buildah manifest add $IMAGE "docker://$TOADD" --all done @@ -102,8 +106,9 @@ spec: exit 1 fi - cat image-digest | tee $(results.IMAGE_DIGEST.path) - echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + cat image-digest | tee "$(results.IMAGE_DIGEST.path)" + echo -n "$IMAGE" | tee "$(results.IMAGE_URL.path)" + echo -n "${image_manifests:1:-1}" > "${results.IMAGES.path}" securityContext: capabilities: add: