@@ -183,32 +183,14 @@ jobs:
183183 run : |
184184 # Create the manifest list and push to both registries
185185 docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
186- $(jq -cr '.labels | to_entries | map("--annotation " + ("index:" + .key + "=" + .value | @sh)) | join(" ")' <<<"$DOCKER_METADATA_OUTPUT_JSON") \
186+ $(jq -cr '.labels | to_entries | map(select(.key != "org.opencontainers.image.source")) | map( "--annotation " + ("index:" + .key + "=" + .value | @sh)) | join(" ")' <<<"$DOCKER_METADATA_OUTPUT_JSON") \
187187 $(printf '${{ github.repository }}@sha256:%s ' *) \
188188 $(printf 'ghcr.io/${{ github.repository }}@sha256:%s ' *)
189189
190190 # Get the digest of the created manifest list
191191 DIGEST=$(docker buildx imagetools inspect ghcr.io/${{ github.repository }}:${{ steps.docker_meta.outputs.version }} --format '{{json .Manifest.Digest}}' | jq -r .)
192192 echo "digest=$DIGEST" >> $GITHUB_OUTPUT
193193
194- - name : Inspect images
195- run : |
196- echo "::group::DockerHub"
197- docker buildx imagetools inspect ${{ github.repository }}:${{ steps.docker_meta.outputs.version }}
198- echo "::endgroup::"
199-
200- echo "::group::GitHub Container Registry"
201- docker buildx imagetools inspect ghcr.io/${{ github.repository }}:${{ steps.docker_meta.outputs.version }}
202- echo "::endgroup::"
203-
204- - name : Cosign sign images (GitHub OIDC)
205- run : |
206- cosign sign --yes \
207- ${{ github.repository }}@${{ steps.docker_build.outputs.digest }}
208-
209- cosign sign --yes \
210- ghcr.io/${{ github.repository }}@${{ steps.docker_build.outputs.digest }}
211-
212194 - name : Attest docker build (DockerHub)
213195 uses : actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
214196 with :
@@ -223,6 +205,24 @@ jobs:
223205 subject-digest : ${{ steps.docker_build.outputs.digest }}
224206 push-to-registry : true
225207
208+ - name : Cosign sign images (GitHub OIDC)
209+ run : |
210+ cosign sign --yes \
211+ ${{ github.repository }}@${{ steps.docker_build.outputs.digest }}
212+
213+ cosign sign --yes \
214+ ghcr.io/${{ github.repository }}@${{ steps.docker_build.outputs.digest }}
215+
216+ - name : Inspect images
217+ run : |
218+ echo "::group::DockerHub"
219+ docker buildx imagetools inspect ${{ github.repository }}:${{ steps.docker_meta.outputs.version }}
220+ echo "::endgroup::"
221+
222+ echo "::group::GitHub Container Registry"
223+ docker buildx imagetools inspect ghcr.io/${{ github.repository }}:${{ steps.docker_meta.outputs.version }}
224+ echo "::endgroup::"
225+
226226 argocd :
227227 if : github.event_name == 'release' || (github.event_name == 'push' && github.ref == 'refs/heads/main')
228228 runs-on : ubuntu-latest
0 commit comments