feat: push attestation artifacts by digest
This commit is contained in:
mrjoelkamp
@@ -249,7 +249,7 @@ func (manifest *Manifest) BuildReferringArtifacts() ([]v1.Image, error) {
|
||||
return images, nil
|
||||
}
|
||||
|
||||
// build and image containing only layers.
|
||||
// build an image containing only layers.
|
||||
func buildImage(layers []*Layer, manifest *v1.Descriptor, subject *v1.Descriptor, opts *ManifestImageOptions) (v1.Image, error) {
|
||||
newImg := empty.Image
|
||||
var err error
|
||||
|
||||
@@ -134,21 +134,30 @@ func SaveReferrers(manifest *attestation.Manifest, outputs []*oci.ImageSpec) err
|
||||
continue
|
||||
}
|
||||
// so that we use the same tag each time to reduce number of tags (tags aren't needed for referrers but we must push one)
|
||||
attOut, err := oci.ReplaceTagInSpec(output, manifest.SubjectDescriptor.Digest)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
// otherwise we end up with the detected platform, though I'm not sure it matters
|
||||
attOut.Platform = &v1.Platform{
|
||||
OS: "unknown",
|
||||
Architecture: "unknown",
|
||||
}
|
||||
// attOut, err := oci.ReplaceTagInSpec(output, manifest.SubjectDescriptor.Digest)
|
||||
// if err != nil {
|
||||
// return err
|
||||
// }
|
||||
images, err := manifest.BuildReferringArtifacts()
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to build image: %w", err)
|
||||
}
|
||||
for _, image := range images {
|
||||
err := PushImageToRegistry(image, attOut.Identifier)
|
||||
layers, err := image.Layers()
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to get attestation image layers: %w", err)
|
||||
}
|
||||
digest, err := layers[0].Digest()
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to get attestation image digest: %w", err)
|
||||
}
|
||||
digest2, _ := image.Digest()
|
||||
fmt.Printf("digest: %s, digest2: %s\n", digest, digest2)
|
||||
attOut, err := oci.ReplaceDigestInSpec(output, digest2)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to create attestation image spec: %w", err)
|
||||
}
|
||||
err = PushImageToRegistry(image, attOut.Identifier)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to push image: %w", err)
|
||||
}
|
||||
|
||||
@@ -172,3 +172,26 @@ func replaceTag(image string, digest v1.Hash) (string, error) {
|
||||
}
|
||||
return fmt.Sprintf("%s:%s-%s.att", notag, digest.Algorithm, digest.Hex), nil
|
||||
}
|
||||
|
||||
func ReplaceDigestInSpec(src *ImageSpec, digest v1.Hash) (*ImageSpec, error) {
|
||||
newName, err := replaceDigest(src.Identifier, digest)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to parse repo name: %w", err)
|
||||
}
|
||||
return &ImageSpec{
|
||||
Identifier: newName,
|
||||
Type: src.Type,
|
||||
Platform: src.Platform,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func replaceDigest(image string, digest v1.Hash) (string, error) {
|
||||
if strings.HasPrefix(image, LocalPrefix) {
|
||||
return image, nil
|
||||
}
|
||||
notag, err := WithoutTag(image)
|
||||
if err != nil {
|
||||
return "", nil
|
||||
}
|
||||
return fmt.Sprintf("%s@%s:%s", notag, digest.Algorithm, digest.Hex), nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user