Merge pull request #162 from smlx/attestv3

smlx · web-flow · commit ec1559b4af92 · 2024-05-21T21:18:08.000+08:00
fix: use the right output variable
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -81,20 +81,20 @@ jobs:
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         GITHUB_SBOM_PATH: ./sbom.spdx.json
-    # parse metadata to the format required for image attestation
+    # parse artifacts to the format required for image attestation
     - run: |
-        echo "digest=$(echo "$METADATA" | jq -r '.[]|select(.type=="Docker Manifest")|select(.name|test(":v"))|.extra.Digest')" >> "$GITHUB_OUTPUT"
-        echo "name=$(echo "$METADATA" | jq -r '.[]|select(.type=="Docker Manifest")|select(.name|test(":v"))|.name|split(":")[0]')" >> "$GITHUB_OUTPUT"
-      id: artifact_metadata
+        echo "digest=$(echo "$ARTIFACTS" | jq -r '.[]|select(.type=="Docker Manifest")|select(.name|test(":v"))|.extra.Digest')" >> "$GITHUB_OUTPUT"
+        echo "name=$(echo "$ARTIFACTS" | jq -r '.[]|select(.type=="Docker Manifest")|select(.name|test(":v"))|.name|split(":")[0]')" >> "$GITHUB_OUTPUT"
+      id: image_metadata
       env:
-        METADATA: ${{steps.goreleaser.outputs.metadata}}
+        ARTIFACTS: ${{steps.goreleaser.outputs.artifacts}}
     # attest archives
     - uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
       with:
         subject-path: "dist/*.tar.gz"
     # attest images
     - uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
       with:
-        subject-digest: ${{steps.artifact_metadata.outputs.digest}}
-        subject-name: ${{steps.artifact_metadata.outputs.name}}
+        subject-digest: ${{steps.image_metadata.outputs.digest}}
+        subject-name: ${{steps.image_metadata.outputs.name}}
         push-to-registry: true
