From 92e5a966909e6e385e31d1868b9855b5c8149806 Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Tue, 11 Jun 2024 17:32:54 +0800
Subject: [PATCH] fix: update release workflow to fix attestation logic

---
 .github/workflows/release.yaml | 38 +++++++++++++++++++++++++++-------
 .goreleaser.yaml               |  1 +
 2 files changed, 31 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 5d000ac..cd22fca 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -63,20 +63,42 @@ jobs:
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         GITHUB_SBOM_PATH: ./sbom.spdx.json
+    # attest archives
+    - uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919 # v1.2.0
+      with:
+        subject-path: "dist/*.tar.gz"
     # parse artifacts to the format required for image attestation
     - run: |
-        echo "digest=$(echo "$ARTIFACTS" | jq -r '.[]|select(.type=="Docker Manifest")|select(.name|test(":v"))|.extra.Digest')" >> "$GITHUB_OUTPUT"
-        echo "name=$(echo "$ARTIFACTS" | jq -r '.[]|select(.type=="Docker Manifest")|select(.name|test(":v"))|.name|split(":")[0]')" >> "$GITHUB_OUTPUT"
-      id: image_metadata
+        echo "digest=$(echo "$ARTIFACTS" | jq -r '.[]|select(.type=="Docker Manifest")|select(.name|test("ssh-portal:v"))|.extra.Digest')" >> "$GITHUB_OUTPUT"
+        echo "name=$(echo "$ARTIFACTS" | jq -r '.[]|select(.type=="Docker Manifest")|select(.name|test("ssh-portal:v"))|.name|split(":")[0]')" >> "$GITHUB_OUTPUT"
+      id: image_metadata_ssh_portal
       env:
         ARTIFACTS: ${{steps.goreleaser.outputs.artifacts}}
-    # attest archives
+    - run: |
+        echo "digest=$(echo "$ARTIFACTS" | jq -r '.[]|select(.type=="Docker Manifest")|select(.name|test("ssh-portal-api:v"))|.extra.Digest')" >> "$GITHUB_OUTPUT"
+        echo "name=$(echo "$ARTIFACTS" | jq -r '.[]|select(.type=="Docker Manifest")|select(.name|test("ssh-portal-api:v"))|.name|split(":")[0]')" >> "$GITHUB_OUTPUT"
+      id: image_metadata_ssh_portal_api
+      env:
+        ARTIFACTS: ${{steps.goreleaser.outputs.artifacts}}
+    - run: |
+        echo "digest=$(echo "$ARTIFACTS" | jq -r '.[]|select(.type=="Docker Manifest")|select(.name|test("ssh-token:v"))|.extra.Digest')" >> "$GITHUB_OUTPUT"
+        echo "name=$(echo "$ARTIFACTS" | jq -r '.[]|select(.type=="Docker Manifest")|select(.name|test("ssh-token:v"))|.name|split(":")[0]')" >> "$GITHUB_OUTPUT"
+      id: image_metadata_ssh_token
+      env:
+        ARTIFACTS: ${{steps.goreleaser.outputs.artifacts}}
+    # attest images
     - uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919 # v1.2.0
       with:
-        subject-path: "dist/*.tar.gz"
-    # attest images
+        subject-digest: ${{steps.image_metadata_ssh_portal.outputs.digest}}
+        subject-name: ${{steps.image_metadata_ssh_portal.outputs.name}}
+        push-to-registry: true
+    - uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919 # v1.2.0
+      with:
+        subject-digest: ${{steps.image_metadata_ssh_portal_api.outputs.digest}}
+        subject-name: ${{steps.image_metadata_ssh_portal_api.outputs.name}}
+        push-to-registry: true
     - uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919 # v1.2.0
       with:
-        subject-digest: ${{steps.image_metadata.outputs.digest}}
-        subject-name: ${{steps.image_metadata.outputs.name}}
+        subject-digest: ${{steps.image_metadata_ssh_token.outputs.digest}}
+        subject-name: ${{steps.image_metadata_ssh_token.outputs.name}}
         push-to-registry: true
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index e82aff5..20ed384 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,3 +1,4 @@
+version: 2
 builds:
 - &buildDefinition
   id: ssh-portal