Attest with name containing the registry

kohtala · kohtala · commit b9cb2152ed7b · 2026-01-12T12:35:03.000+02:00
Build gives "Error: Invalid image name". I believe it is because the
registry is missing in the container name.

The CPU version still had "-" suffix.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -58,7 +58,7 @@ jobs:
       # Tags have limited set of valid character, '+' not included
       # https://github.com/opencontainers/distribution-spec/blob/main/spec.md#pulling-manifests
       run: |
-        echo "tag=$(echo -n "${{ matrix.torch }}${{ matrix.index && format('-{0}', matrix.index) || '' }}-${{ matrix.python }}${PLATFORM+-}${PLATFORM#*/}" | tr -c 'a-zA-Z0-9._-' '[-*]')" >> $GITHUB_OUTPUT
+        echo "tag=$(echo -n "${{ matrix.torch }}${{ matrix.index && format('-{0}', matrix.index) || '' }}-${{ matrix.python }}${PLATFORM:+-}${PLATFORM#*/}" | tr -c 'a-zA-Z0-9._-' '[-*]')" >> $GITHUB_OUTPUT
       env:
         PLATFORM: ${{ matrix.index != 'cpu' && matrix.platform || '' }}
 
@@ -88,7 +88,7 @@ jobs:
     - name: Create attestation for the image
       uses: actions/attest-build-provenance@v3
       with:
-        subject-name: ${{ vars.DOCKERHUB_USERNAME }}/python-torch:${{ steps.build-tag.outputs.tag }}
+        subject-name: docker.io/${{ vars.DOCKERHUB_USERNAME }}/python-torch:${{ steps.build-tag.outputs.tag }}
         subject-digest: ${{ steps.build-push.outputs.digest }}
         push-to-registry: true
 
@@ -117,18 +117,19 @@ jobs:
         # This must match the build job tag generation
         tag="$(echo -n "${{ matrix.torch }}${{ matrix.index && format('-{0}', matrix.index) || '' }}-${{ matrix.python }}" | tr -c 'a-zA-Z0-9._-' '[-*]')"
         echo "tag=${tag}" >> $GITHUB_OUTPUT
-        name="$DOCKERHUB_USERNAME/python-torch:${tag}"
+        repository="docker.io/$DOCKERHUB_USERNAME/python-torch"
+        name="$repository:$tag"
         echo "name=${name}" >> $GITHUB_OUTPUT
         docker buildx imagetools create \
           --tag $name \
           ${name}-amd64 \
           ${name}-arm64
-        # Unfortunately we don't get the digest directly so we need to query it
+        # Unfortunately we don't get the digest directly so we need to query it risking it get changed
         DIGEST=$(docker buildx imagetools inspect "${name}" --format '{{ print .Manifest.Digest }}')
         # Ensure the images bundled behind the digest about to be attested still have valid attestations
-        for digest in $(docker buildx imagetools inspect "$DOCKERHUB_USERNAME/python-torch@$DIGEST" --format '{{ range .Manifest.Manifests }}{{ .Digest }} {{ end }}')
+        for digest in $(docker buildx imagetools inspect "$repository@$DIGEST" --format '{{ range .Manifest.Manifests }}{{ .Digest }} {{ end }}')
         do
-          gh attestation verify oci://$DOCKERHUB_USERNAME/python-torch@${digest} \
+          gh attestation verify oci://$repository@$digest \
             --repo $GITHUB_REPOSITORY \
             --signer-workflow $GITHUB_WORKFLOW_REF \
             --source-digest $GITHUB_SHA
