From fba5cf8a4e5af0c675526831cb36983651f42bc1 Mon Sep 17 00:00:00 2001
From: Ben Morrow <b.morrow@amrc.co.uk>
Date: Thu, 1 Feb 2024 12:11:15 +0000
Subject: [PATCH] Fix the image base properly

Run cosign over the right image. This is a UUO-xargs but I don't care.

This is getting ridiculous.
---
 .github/workflows/docker-publish.yml | 27 +++++++++++++--------------
 1 file changed, 13 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 8210086..d4746c9 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -2,6 +2,7 @@ name: Docker publish
 
 env:
   REGISTRY: ghcr.io
+  IMAGE_BASE: ghcr.io/amrc-factoryplus/acs-base
 
 on:
   release:
@@ -46,8 +47,6 @@ jobs:
       - name: Extract Docker metadata
         id: meta
         uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
-        with:
-          images: ${{ env.REGISTRY }}/${{ github.repository }}-build
 
       # Build and push Docker image with Buildx (don't push on PR)
       # https://github.com/docker/build-push-action
@@ -59,9 +58,9 @@ jobs:
           platforms: linux/amd64,linux/arm64
           file: ./Dockerfile.js-build
           push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ env.REGISTRY }}/acs-base-js-build:${{ steps.meta.outputs.version }}
+          tags: ${{ env.IMAGE_BASE }}-js-build:${{ steps.meta.outputs.version }}
           build-args: |
-            base=${{ env.REGISTRY }}/acs-base
+            base=${{ env.IMAGE_BASE }}
             version=${{ steps.meta.outputs.version }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
@@ -78,7 +77,7 @@ jobs:
           COSIGN_EXPERIMENTAL: "true"
         # This step uses the identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
-        run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push-js-build.outputs.digest }}
+        run: echo "${{ env.IMAGE_BASE }}-js-build:${{ steps.meta.outputs.version }}" | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push-js-build.outputs.digest }}
 
       # Build and push Docker image with Buildx (don't push on PR)
       # https://github.com/docker/build-push-action
@@ -90,9 +89,9 @@ jobs:
           platforms: linux/amd64,linux/arm64
           file: ./Dockerfile.js-run
           push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ env.REGISTRY }}/acs-base-js-run:${{ steps.meta.outputs.version }}
+          tags: ${{ env.IMAGE_BASE }}-js-run:${{ steps.meta.outputs.version }}
           build-args: |
-            base=${{ env.REGISTRY }}/acs-base
+            base=${{ env.IMAGE_BASE }}
             version=${{ steps.meta.outputs.version }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
@@ -109,7 +108,7 @@ jobs:
           COSIGN_EXPERIMENTAL: "true"
         # This step uses the identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
-        run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push-js-run.outputs.digest }}
+        run: echo "${{ env.IMAGE_BASE }}-js-run:${{ steps.meta.outputs.version }}" | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push-js-run.outputs.digest }}
 
       # Build and push Docker image with Buildx (don't push on PR)
       # https://github.com/docker/build-push-action
@@ -121,9 +120,9 @@ jobs:
           platforms: linux/amd64,linux/arm64
           file: ./Dockerfile.pg-build
           push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ env.REGISTRY }}/acs-base-pg-build:${{ steps.meta.outputs.version }}
+          tags: ${{ env.IMAGE_BASE }}-pg-build:${{ steps.meta.outputs.version }}
           build-args: |
-            base=${{ env.REGISTRY }}/acs-base
+            base=${{ env.IMAGE_BASE }}
             version=${{ steps.meta.outputs.version }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
@@ -140,7 +139,7 @@ jobs:
           COSIGN_EXPERIMENTAL: "true"
         # This step uses the identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
-        run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push-pg-build.outputs.digest }}
+        run: echo "${{ env.IMAGE_BASE }}-pg-build:${{ steps.meta.outputs.version }}" | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push-pg-build.outputs.digest }}
 
       # Build and push Docker image with Buildx (don't push on PR)
       # https://github.com/docker/build-push-action
@@ -152,9 +151,9 @@ jobs:
           platforms: linux/amd64,linux/arm64
           file: ./Dockerfile.pg-run
           push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ env.REGISTRY }}/acs-base-pg-run:${{ steps.meta.outputs.version }}
+          tags: ${{ env.IMAGE_BASE }}-pg-run:${{ steps.meta.outputs.version }}
           build-args: |
-            base=${{ env.REGISTRY }}/acs-base
+            base=${{ env.IMAGE_BASE }}
             version=${{ steps.meta.outputs.version }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
@@ -171,5 +170,5 @@ jobs:
           COSIGN_EXPERIMENTAL: "true"
         # This step uses the identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
-        run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push-pg-run.outputs.digest }}
+        run: echo "${{ env.IMAGE_BASE }}-pg-run:${{ steps.meta.outputs.version }}" | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push-pg-run.outputs.digest }}