fix: Sign images using digest/repo instead of path

break attestation into its own workflow Signed-off-by: Dan Urson <[email protected]> add permissions back to attestation workflow Signed-off-by: Dan Urson <[email protected]> delete independent attestation wf it's supposed to be contained in the build wf per github best practices Signed-off-by: Dan Urson <[email protected]> add back modified build workflow contains updated attestation step Signed-off-by: Dan Urson <[email protected]> aparently the tag is the path wtf Signed-off-by: Dan Urson <[email protected]> try again with the bare repo name as the path Signed-off-by: Dan Urson <[email protected]> Test Signed-off-by: Dan Urson <[email protected]> Co-authored-by: Robert Kugler <[email protected]> Fix digest Signed-off-by: Dan Urson <[email protected]> Co-authored-by: Robert Kugler <[email protected]> Fix subject name Signed-off-by: Dan Urson <[email protected]> Co-authored-by: Robert Kugler <[email protected]> Try variable Signed-off-by: Dan Urson <[email protected]> Co-authored-by: Robert Kugler <[email protected]>
runatlantis · Dec 16, 2024 · de0084a · de0084a
1 parent 44880f8
commit de0084a
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml
@@ -157,8 +157,8 @@ jobs:
       if: env.PUSH == 'true'
       uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
       with:
-        subject-path: ${{ steps.build.outputs.image-name }}@${{ steps.build.outputs.digest }}
         subject-digest: ${{ steps.build.outputs.digest }}
+        subject-name: ghcr.io/${{ github.repository }}
         push-to-registry: true
 
   test: