From 1e44cd6d1fab60ec2300cce77abe4a70323bc2c3 Mon Sep 17 00:00:00 2001
From: Paulo Gomes <paulo.gomes@suse.com>
Date: Mon, 9 Dec 2024 22:44:08 +0000
Subject: [PATCH] publish-image: Split provenance attestation into standalone
 step

Signed-off-by: Paulo Gomes <paulo.gomes@suse.com>
---
 actions/publish-image/action.yaml | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/actions/publish-image/action.yaml b/actions/publish-image/action.yaml
index 20006b65..fa3b9019 100644
--- a/actions/publish-image/action.yaml
+++ b/actions/publish-image/action.yaml
@@ -190,14 +190,8 @@ runs:
       IMG_NAME="${REPO}/${{ inputs.image }}@$(head -n 1 ${IID_FILE})"
 
       cosign sign --oidc-provider=github-actions --yes "${IMG_NAME}"
+      echo "IMG_NAME=${IMG_NAME}" >> $GITHUB_ENV
         
-      if slsactl download provenance --format=slsav1 "${IMG_NAME}" > provenance-slsav1.json; then
-        cat provenance-slsav1.json
-        cosign attest --yes --predicate provenance-slsav1.json --type slsaprovenance1 "${IMG_NAME}"
-      else
-        echo "ERROR: Failed to generate slsav1 provenance. Check whether the image is present in the Prime registry."
-        exit 3
-      fi
     env:
       TAG: ${{ inputs.tag }}
       TARGET_PLATFORMS: ${{ inputs.platforms }}
@@ -212,3 +206,15 @@ runs:
       TAG: ${{ inputs.tag }}
       TARGET_PLATFORMS: ${{ inputs.platforms }}
       REPO: ${{ inputs.public-registry }}/${{ inputs.public-repo }}
+
+  - name: Attest provenance
+    shell: bash
+    run: |        
+      if slsactl download provenance --format=slsav1 "${IMG_NAME}" > provenance-slsav1.json; then
+        cat provenance-slsav1.json
+        cosign attest --yes --predicate provenance-slsav1.json --type slsaprovenance1 "${IMG_NAME}"
+      else
+        slsactl download provenance --format=slsav1 "${IMG_NAME}"
+        echo "ERROR: Failed to generate slsav1 provenance. Check whether the image is present in the Prime registry."
+        exit 3
+      fi