From de0084a77c0a97224b4e966bfb458d7b4bed7a31 Mon Sep 17 00:00:00 2001 From: Dan Urson Date: Mon, 16 Dec 2024 08:35:28 -0500 Subject: [PATCH] fix: Sign images using digest/repo instead of path break attestation into its own workflow Signed-off-by: Dan Urson add permissions back to attestation workflow Signed-off-by: Dan Urson delete independent attestation wf it's supposed to be contained in the build wf per github best practices Signed-off-by: Dan Urson add back modified build workflow contains updated attestation step Signed-off-by: Dan Urson aparently the tag is the path wtf Signed-off-by: Dan Urson try again with the bare repo name as the path Signed-off-by: Dan Urson Test Signed-off-by: Dan Urson Co-authored-by: Robert Kugler Fix digest Signed-off-by: Dan Urson Co-authored-by: Robert Kugler Fix subject name Signed-off-by: Dan Urson Co-authored-by: Robert Kugler Try variable Signed-off-by: Dan Urson Co-authored-by: Robert Kugler --- .github/workflows/atlantis-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml index 08936ce74a..86900b9254 100644 --- a/.github/workflows/atlantis-image.yml +++ b/.github/workflows/atlantis-image.yml @@ -157,8 +157,8 @@ jobs: if: env.PUSH == 'true' uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 with: - subject-path: ${{ steps.build.outputs.image-name }}@${{ steps.build.outputs.digest }} subject-digest: ${{ steps.build.outputs.digest }} + subject-name: ghcr.io/${{ github.repository }} push-to-registry: true test: