From f2a834c3cdf5cb09ba116bb55acab6cd907252ff Mon Sep 17 00:00:00 2001 From: Bertrand Goareguer Date: Mon, 20 Oct 2025 15:57:42 +0000 Subject: [PATCH 01/14] fix: fail docker-publish if using cosign 3.0.0 or above --- README.md | 3 ++- templates/gitlab-ci-docker.yml | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index c1c10eb..4677eaf 100644 --- a/README.md +++ b/README.md @@ -241,7 +241,8 @@ By default signatures are only activated on `$INTEG_REF`, `$PROD_REF` and `$RELE Cosign is used for signing images and attestations. As of now, we only support signing with a private key defined in `$DOCKER_COSIGN_PRIVATE_KEY`. Certificate and keyless signing may be added in the future. -By default the latest version of cosign is used but you can use a specific version by setting the `$DOCKER_COSIGN_DIST_URL` variable. +:warning: By default the latest version of `cosign` is used but versions `3.0.0` and above are not supported yet. You are **highly encouraged** to set a specific version up to `2.6.1` by setting the `$DOCKER_COSIGN_DIST_URL` variable. + When the snapshot image it promoted to release, both the image signature and the signed attestation are promoted as well. diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml index eb12f18..8b615c2 100644 --- a/templates/gitlab-ci-docker.yml +++ b/templates/gitlab-ci-docker.yml @@ -1447,10 +1447,10 @@ docker-publish: echo "$all_digests" | tr ':' '-' | sed '/^[ \t]*$/d' | while read sha; do log_info "Copying image signature to ${release_repository}:${sha}.sig..." skopeo copy ${TRACE+--debug} --src-authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --dest-authfile "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json" ${DOCKER_PUBLISH_ARGS} "docker://${snapshot_repository}:${sha}.sig" "docker://${release_repository}:${sha}.sig" \ - || log_warn "No signature found for ${sha}" + || fail "No signature found for ${sha}" log_info "Copying image attestation to ${release_repository}:${sha}.att..." skopeo copy ${TRACE+--debug} --src-authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --dest-authfile "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json" ${DOCKER_PUBLISH_ARGS} "docker://${snapshot_repository}:${sha}.att" "docker://${release_repository}:${sha}.att" \ - || log_warn "No attestation found for ${sha}" + || fail "No attestation found for ${sha}" done fi - | -- GitLab From 747fb9ca70d969b9c737d737723524acd93ce037 Mon Sep 17 00:00:00 2001 From: Bertrand Goareguer Date: Fri, 24 Oct 2025 12:23:00 +0000 Subject: [PATCH 02/14] Update file gitlab-ci-docker.yml --- templates/gitlab-ci-docker.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml index 8b615c2..e03c0cf 100644 --- a/templates/gitlab-ci-docker.yml +++ b/templates/gitlab-ci-docker.yml @@ -1444,14 +1444,19 @@ docker-publish: # ⚠ don't use upstream $docker_digest due to possible parallel matrix job producing several docker_digest=$(skopeo inspect ${TRACE+--debug} --authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --format='{{ .Digest }}' --no-tags "docker://$DOCKER_SNAPSHOT_IMAGE") all_digests="$docker_digest"$'\n'"$(sed -nE 's|Copying image (sha256:[[:alnum:]]+).*|\1|p' skopeo-copy.log)" + nb_errors=0 echo "$all_digests" | tr ':' '-' | sed '/^[ \t]*$/d' | while read sha; do log_info "Copying image signature to ${release_repository}:${sha}.sig..." skopeo copy ${TRACE+--debug} --src-authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --dest-authfile "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json" ${DOCKER_PUBLISH_ARGS} "docker://${snapshot_repository}:${sha}.sig" "docker://${release_repository}:${sha}.sig" \ - || fail "No signature found for ${sha}" + || { log_warn "No signature found for ${sha}" ; nb_errors=$(( nb_errors + 1 )) ;} log_info "Copying image attestation to ${release_repository}:${sha}.att..." skopeo copy ${TRACE+--debug} --src-authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --dest-authfile "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json" ${DOCKER_PUBLISH_ARGS} "docker://${snapshot_repository}:${sha}.att" "docker://${release_repository}:${sha}.att" \ - || fail "No attestation found for ${sha}" + || { log_warn "No attestation found for ${sha}" ; nb_errors=$(( nb_errors + 1 )) ;} done + if [[ $nb_errors -gt 0 ]] + then + fail "No signature or attestation could be copied" + fi fi - | log_info "Well done your image is pushed and can be pulled with: docker pull $DOCKER_RELEASE_IMAGE" -- GitLab From 9da062dc239cfa92d5eb6646e22f4904d63835cd Mon Sep 17 00:00:00 2001 From: Bertrand Goareguer Date: Fri, 24 Oct 2025 12:36:57 +0000 Subject: [PATCH 03/14] Update file gitlab-ci-docker.yml --- templates/gitlab-ci-docker.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml index e03c0cf..761ffc2 100644 --- a/templates/gitlab-ci-docker.yml +++ b/templates/gitlab-ci-docker.yml @@ -1438,6 +1438,7 @@ docker-publish: - | if [[ ${DOCKER_COSIGN_STRATEGY} == "onrelease" ]] || [[ ${DOCKER_COSIGN_STRATEGY} == "always" ]] then + set -x snapshot_repository=${DOCKER_SNAPSHOT_IMAGE%:*} release_repository=${DOCKER_RELEASE_IMAGE%:*} # extract snapshot image digest -- GitLab From 49aaf6610500cc9dacaf48eef5571a9c645da72d Mon Sep 17 00:00:00 2001 From: Bertrand Goareguer Date: Fri, 24 Oct 2025 12:40:07 +0000 Subject: [PATCH 04/14] Update file gitlab-ci-docker.yml --- templates/gitlab-ci-docker.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml index 761ffc2..17255c4 100644 --- a/templates/gitlab-ci-docker.yml +++ b/templates/gitlab-ci-docker.yml @@ -1436,6 +1436,7 @@ docker-publish: - log_info "Copying ${DOCKER_SNAPSHOT_IMAGE} to ${DOCKER_RELEASE_IMAGE}..." - skopeo copy ${TRACE+--debug} --all --src-authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --dest-authfile "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json" ${DOCKER_PUBLISH_ARGS} "docker://$DOCKER_SNAPSHOT_IMAGE" "docker://$DOCKER_RELEASE_IMAGE" | tee skopeo-copy.log - | + nb_errors=0 if [[ ${DOCKER_COSIGN_STRATEGY} == "onrelease" ]] || [[ ${DOCKER_COSIGN_STRATEGY} == "always" ]] then set -x @@ -1445,7 +1446,6 @@ docker-publish: # ⚠ don't use upstream $docker_digest due to possible parallel matrix job producing several docker_digest=$(skopeo inspect ${TRACE+--debug} --authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --format='{{ .Digest }}' --no-tags "docker://$DOCKER_SNAPSHOT_IMAGE") all_digests="$docker_digest"$'\n'"$(sed -nE 's|Copying image (sha256:[[:alnum:]]+).*|\1|p' skopeo-copy.log)" - nb_errors=0 echo "$all_digests" | tr ':' '-' | sed '/^[ \t]*$/d' | while read sha; do log_info "Copying image signature to ${release_repository}:${sha}.sig..." skopeo copy ${TRACE+--debug} --src-authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --dest-authfile "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json" ${DOCKER_PUBLISH_ARGS} "docker://${snapshot_repository}:${sha}.sig" "docker://${release_repository}:${sha}.sig" \ -- GitLab From 393718dd73ffd40bc461c5bcdaec8a0f7d95f4ec Mon Sep 17 00:00:00 2001 From: Bertrand Goareguer Date: Fri, 24 Oct 2025 12:43:40 +0000 Subject: [PATCH 05/14] Update file gitlab-ci-docker.yml --- templates/gitlab-ci-docker.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml index 17255c4..b882718 100644 --- a/templates/gitlab-ci-docker.yml +++ b/templates/gitlab-ci-docker.yml @@ -1436,7 +1436,7 @@ docker-publish: - log_info "Copying ${DOCKER_SNAPSHOT_IMAGE} to ${DOCKER_RELEASE_IMAGE}..." - skopeo copy ${TRACE+--debug} --all --src-authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --dest-authfile "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json" ${DOCKER_PUBLISH_ARGS} "docker://$DOCKER_SNAPSHOT_IMAGE" "docker://$DOCKER_RELEASE_IMAGE" | tee skopeo-copy.log - | - nb_errors=0 + export nb_errors=0 if [[ ${DOCKER_COSIGN_STRATEGY} == "onrelease" ]] || [[ ${DOCKER_COSIGN_STRATEGY} == "always" ]] then set -x -- GitLab From 4061ab1559c7932008ee9117d8dfcdb82acaba6a Mon Sep 17 00:00:00 2001 From: Bertrand Goareguer Date: Fri, 24 Oct 2025 12:56:23 +0000 Subject: [PATCH 06/14] Update file gitlab-ci-docker.yml --- templates/gitlab-ci-docker.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml index b882718..53e6825 100644 --- a/templates/gitlab-ci-docker.yml +++ b/templates/gitlab-ci-docker.yml @@ -1436,7 +1436,7 @@ docker-publish: - log_info "Copying ${DOCKER_SNAPSHOT_IMAGE} to ${DOCKER_RELEASE_IMAGE}..." - skopeo copy ${TRACE+--debug} --all --src-authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --dest-authfile "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json" ${DOCKER_PUBLISH_ARGS} "docker://$DOCKER_SNAPSHOT_IMAGE" "docker://$DOCKER_RELEASE_IMAGE" | tee skopeo-copy.log - | - export nb_errors=0 + nb_errors=0 if [[ ${DOCKER_COSIGN_STRATEGY} == "onrelease" ]] || [[ ${DOCKER_COSIGN_STRATEGY} == "always" ]] then set -x @@ -1446,14 +1446,14 @@ docker-publish: # ⚠ don't use upstream $docker_digest due to possible parallel matrix job producing several docker_digest=$(skopeo inspect ${TRACE+--debug} --authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --format='{{ .Digest }}' --no-tags "docker://$DOCKER_SNAPSHOT_IMAGE") all_digests="$docker_digest"$'\n'"$(sed -nE 's|Copying image (sha256:[[:alnum:]]+).*|\1|p' skopeo-copy.log)" - echo "$all_digests" | tr ':' '-' | sed '/^[ \t]*$/d' | while read sha; do + while read sha; do log_info "Copying image signature to ${release_repository}:${sha}.sig..." skopeo copy ${TRACE+--debug} --src-authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --dest-authfile "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json" ${DOCKER_PUBLISH_ARGS} "docker://${snapshot_repository}:${sha}.sig" "docker://${release_repository}:${sha}.sig" \ || { log_warn "No signature found for ${sha}" ; nb_errors=$(( nb_errors + 1 )) ;} log_info "Copying image attestation to ${release_repository}:${sha}.att..." skopeo copy ${TRACE+--debug} --src-authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --dest-authfile "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json" ${DOCKER_PUBLISH_ARGS} "docker://${snapshot_repository}:${sha}.att" "docker://${release_repository}:${sha}.att" \ || { log_warn "No attestation found for ${sha}" ; nb_errors=$(( nb_errors + 1 )) ;} - done + done < <(echo "$all_digests" | tr ':' '-' | sed '/^[ \t]*$/d') if [[ $nb_errors -gt 0 ]] then fail "No signature or attestation could be copied" -- GitLab From 722cc92b618a403134f5686d8f4fc78b759403dd Mon Sep 17 00:00:00 2001 From: Bertrand Goareguer Date: Fri, 24 Oct 2025 13:00:18 +0000 Subject: [PATCH 07/14] Update file gitlab-ci-docker.yml --- templates/gitlab-ci-docker.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml index 53e6825..faad261 100644 --- a/templates/gitlab-ci-docker.yml +++ b/templates/gitlab-ci-docker.yml @@ -1449,10 +1449,10 @@ docker-publish: while read sha; do log_info "Copying image signature to ${release_repository}:${sha}.sig..." skopeo copy ${TRACE+--debug} --src-authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --dest-authfile "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json" ${DOCKER_PUBLISH_ARGS} "docker://${snapshot_repository}:${sha}.sig" "docker://${release_repository}:${sha}.sig" \ - || { log_warn "No signature found for ${sha}" ; nb_errors=$(( nb_errors + 1 )) ;} + || { log_warn "No signature found for ${sha}" ; ((nb_errors++)) ;} log_info "Copying image attestation to ${release_repository}:${sha}.att..." skopeo copy ${TRACE+--debug} --src-authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --dest-authfile "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json" ${DOCKER_PUBLISH_ARGS} "docker://${snapshot_repository}:${sha}.att" "docker://${release_repository}:${sha}.att" \ - || { log_warn "No attestation found for ${sha}" ; nb_errors=$(( nb_errors + 1 )) ;} + || { log_warn "No attestation found for ${sha}" ; ((nb_errors++)) ;} done < <(echo "$all_digests" | tr ':' '-' | sed '/^[ \t]*$/d') if [[ $nb_errors -gt 0 ]] then -- GitLab From f64a15b458086a81cecbe4b7514a2df8adc1b0fb Mon Sep 17 00:00:00 2001 From: Bertrand Goareguer Date: Fri, 24 Oct 2025 13:07:59 +0000 Subject: [PATCH 08/14] Update file gitlab-ci-docker.yml --- templates/gitlab-ci-docker.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml index faad261..8ea7370 100644 --- a/templates/gitlab-ci-docker.yml +++ b/templates/gitlab-ci-docker.yml @@ -1436,7 +1436,6 @@ docker-publish: - log_info "Copying ${DOCKER_SNAPSHOT_IMAGE} to ${DOCKER_RELEASE_IMAGE}..." - skopeo copy ${TRACE+--debug} --all --src-authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --dest-authfile "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json" ${DOCKER_PUBLISH_ARGS} "docker://$DOCKER_SNAPSHOT_IMAGE" "docker://$DOCKER_RELEASE_IMAGE" | tee skopeo-copy.log - | - nb_errors=0 if [[ ${DOCKER_COSIGN_STRATEGY} == "onrelease" ]] || [[ ${DOCKER_COSIGN_STRATEGY} == "always" ]] then set -x @@ -1446,13 +1445,14 @@ docker-publish: # ⚠ don't use upstream $docker_digest due to possible parallel matrix job producing several docker_digest=$(skopeo inspect ${TRACE+--debug} --authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --format='{{ .Digest }}' --no-tags "docker://$DOCKER_SNAPSHOT_IMAGE") all_digests="$docker_digest"$'\n'"$(sed -nE 's|Copying image (sha256:[[:alnum:]]+).*|\1|p' skopeo-copy.log)" + nb_errors=0 while read sha; do log_info "Copying image signature to ${release_repository}:${sha}.sig..." skopeo copy ${TRACE+--debug} --src-authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --dest-authfile "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json" ${DOCKER_PUBLISH_ARGS} "docker://${snapshot_repository}:${sha}.sig" "docker://${release_repository}:${sha}.sig" \ - || { log_warn "No signature found for ${sha}" ; ((nb_errors++)) ;} + || { log_warn "No signature found for ${sha}" ; nb_errors=$(( nb_errors + 1 )) ;} log_info "Copying image attestation to ${release_repository}:${sha}.att..." skopeo copy ${TRACE+--debug} --src-authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --dest-authfile "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json" ${DOCKER_PUBLISH_ARGS} "docker://${snapshot_repository}:${sha}.att" "docker://${release_repository}:${sha}.att" \ - || { log_warn "No attestation found for ${sha}" ; ((nb_errors++)) ;} + || { log_warn "No attestation found for ${sha}" ; nb_errors=$(( nb_errors + 1 )) ;} done < <(echo "$all_digests" | tr ':' '-' | sed '/^[ \t]*$/d') if [[ $nb_errors -gt 0 ]] then -- GitLab From b7eadc1dabeb4cc19eab0dc31d597f16532df6b3 Mon Sep 17 00:00:00 2001 From: Bertrand Goareguer Date: Fri, 24 Oct 2025 13:13:15 +0000 Subject: [PATCH 09/14] Update file gitlab-ci-docker.yml --- templates/gitlab-ci-docker.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml index 8ea7370..5bc45f2 100644 --- a/templates/gitlab-ci-docker.yml +++ b/templates/gitlab-ci-docker.yml @@ -1438,7 +1438,6 @@ docker-publish: - | if [[ ${DOCKER_COSIGN_STRATEGY} == "onrelease" ]] || [[ ${DOCKER_COSIGN_STRATEGY} == "always" ]] then - set -x snapshot_repository=${DOCKER_SNAPSHOT_IMAGE%:*} release_repository=${DOCKER_RELEASE_IMAGE%:*} # extract snapshot image digest -- GitLab From 7c36414d8fb5f42d0915ffafd62ef055989cd2ce Mon Sep 17 00:00:00 2001 From: Bertrand Goareguer Date: Tue, 4 Nov 2025 08:13:56 +0000 Subject: [PATCH 10/14] Apply 1 suggestion(s) to 1 file(s) Co-authored-by: Clement Bois --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4677eaf..c89d92b 100644 --- a/README.md +++ b/README.md @@ -241,7 +241,9 @@ By default signatures are only activated on `$INTEG_REF`, `$PROD_REF` and `$RELE Cosign is used for signing images and attestations. As of now, we only support signing with a private key defined in `$DOCKER_COSIGN_PRIVATE_KEY`. Certificate and keyless signing may be added in the future. -:warning: By default the latest version of `cosign` is used but versions `3.0.0` and above are not supported yet. You are **highly encouraged** to set a specific version up to `2.6.1` by setting the `$DOCKER_COSIGN_DIST_URL` variable. +By default the latest version of `cosign` is used. You can use a specific version by setting the `$DOCKER_COSIGN_DIST_URL` variable. + +:warning: New bundle format enabled in version `3` is not supported yet. You should to set a specific argument `--new-bundle-fomat=false` in `cosign-opts` and `cosign-attest-opts` to disable this feature. When the snapshot image it promoted to release, both the image signature and the signed attestation are promoted as well. -- GitLab From 934f799c10d6c55ef0506998fd2e8d691bc146de Mon Sep 17 00:00:00 2001 From: Bertrand Goareguer Date: Tue, 4 Nov 2025 08:15:13 +0000 Subject: [PATCH 11/14] Update file README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c89d92b..3e4def6 100644 --- a/README.md +++ b/README.md @@ -243,7 +243,7 @@ Cosign is used for signing images and attestations. As of now, we only support s By default the latest version of `cosign` is used. You can use a specific version by setting the `$DOCKER_COSIGN_DIST_URL` variable. -:warning: New bundle format enabled in version `3` is not supported yet. You should to set a specific argument `--new-bundle-fomat=false` in `cosign-opts` and `cosign-attest-opts` to disable this feature. +:warning: New bundle format enabled in version `3` of `cosign` is not supported yet. You should set a specific argument `--new-bundle-fomat=false` in `cosign-opts` and `cosign-attest-opts` to disable this feature. When the snapshot image it promoted to release, both the image signature and the signed attestation are promoted as well. -- GitLab From 2f864dca6438f6d6812bf417147f0bd4f5cd1d82 Mon Sep 17 00:00:00 2001 From: Bertrand Goareguer Date: Tue, 4 Nov 2025 09:35:02 +0000 Subject: [PATCH 12/14] Update file gitlab-ci-docker.yml --- templates/gitlab-ci-docker.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml index 5bc45f2..1308ab4 100644 --- a/templates/gitlab-ci-docker.yml +++ b/templates/gitlab-ci-docker.yml @@ -1444,16 +1444,18 @@ docker-publish: # ⚠ don't use upstream $docker_digest due to possible parallel matrix job producing several docker_digest=$(skopeo inspect ${TRACE+--debug} --authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --format='{{ .Digest }}' --no-tags "docker://$DOCKER_SNAPSHOT_IMAGE") all_digests="$docker_digest"$'\n'"$(sed -nE 's|Copying image (sha256:[[:alnum:]]+).*|\1|p' skopeo-copy.log)" - nb_errors=0 + success=0 while read sha; do log_info "Copying image signature to ${release_repository}:${sha}.sig..." skopeo copy ${TRACE+--debug} --src-authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --dest-authfile "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json" ${DOCKER_PUBLISH_ARGS} "docker://${snapshot_repository}:${sha}.sig" "docker://${release_repository}:${sha}.sig" \ - || { log_warn "No signature found for ${sha}" ; nb_errors=$(( nb_errors + 1 )) ;} + && success=1 \ + || log_warn "No signature found for ${sha}" log_info "Copying image attestation to ${release_repository}:${sha}.att..." skopeo copy ${TRACE+--debug} --src-authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --dest-authfile "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json" ${DOCKER_PUBLISH_ARGS} "docker://${snapshot_repository}:${sha}.att" "docker://${release_repository}:${sha}.att" \ - || { log_warn "No attestation found for ${sha}" ; nb_errors=$(( nb_errors + 1 )) ;} + && success=1 \ + || log_warn "No attestation found for ${sha}" done < <(echo "$all_digests" | tr ':' '-' | sed '/^[ \t]*$/d') - if [[ $nb_errors -gt 0 ]] + if [[ $success -eq 0 ]] then fail "No signature or attestation could be copied" fi -- GitLab From 5c409140271aababea9e1fbceec71e17614274c1 Mon Sep 17 00:00:00 2001 From: Bertrand Goareguer Date: Tue, 4 Nov 2025 09:56:50 +0000 Subject: [PATCH 13/14] Update file gitlab-ci-docker.yml --- templates/gitlab-ci-docker.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml index 1308ab4..559b46b 100644 --- a/templates/gitlab-ci-docker.yml +++ b/templates/gitlab-ci-docker.yml @@ -1445,7 +1445,7 @@ docker-publish: docker_digest=$(skopeo inspect ${TRACE+--debug} --authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --format='{{ .Digest }}' --no-tags "docker://$DOCKER_SNAPSHOT_IMAGE") all_digests="$docker_digest"$'\n'"$(sed -nE 's|Copying image (sha256:[[:alnum:]]+).*|\1|p' skopeo-copy.log)" success=0 - while read sha; do + echo "$all_digests" | tr ':' '-' | sed '/^[ \t]*$/d' | while read sha; do log_info "Copying image signature to ${release_repository}:${sha}.sig..." skopeo copy ${TRACE+--debug} --src-authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --dest-authfile "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json" ${DOCKER_PUBLISH_ARGS} "docker://${snapshot_repository}:${sha}.sig" "docker://${release_repository}:${sha}.sig" \ && success=1 \ @@ -1454,7 +1454,7 @@ docker-publish: skopeo copy ${TRACE+--debug} --src-authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --dest-authfile "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json" ${DOCKER_PUBLISH_ARGS} "docker://${snapshot_repository}:${sha}.att" "docker://${release_repository}:${sha}.att" \ && success=1 \ || log_warn "No attestation found for ${sha}" - done < <(echo "$all_digests" | tr ':' '-' | sed '/^[ \t]*$/d') + done if [[ $success -eq 0 ]] then fail "No signature or attestation could be copied" -- GitLab From 6317057ccc91430dead352a9c8e4eed5b7f0e61d Mon Sep 17 00:00:00 2001 From: Bertrand Goareguer Date: Tue, 4 Nov 2025 11:49:33 +0000 Subject: [PATCH 14/14] Update file gitlab-ci-docker.yml --- templates/gitlab-ci-docker.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml index 559b46b..1308ab4 100644 --- a/templates/gitlab-ci-docker.yml +++ b/templates/gitlab-ci-docker.yml @@ -1445,7 +1445,7 @@ docker-publish: docker_digest=$(skopeo inspect ${TRACE+--debug} --authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --format='{{ .Digest }}' --no-tags "docker://$DOCKER_SNAPSHOT_IMAGE") all_digests="$docker_digest"$'\n'"$(sed -nE 's|Copying image (sha256:[[:alnum:]]+).*|\1|p' skopeo-copy.log)" success=0 - echo "$all_digests" | tr ':' '-' | sed '/^[ \t]*$/d' | while read sha; do + while read sha; do log_info "Copying image signature to ${release_repository}:${sha}.sig..." skopeo copy ${TRACE+--debug} --src-authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --dest-authfile "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json" ${DOCKER_PUBLISH_ARGS} "docker://${snapshot_repository}:${sha}.sig" "docker://${release_repository}:${sha}.sig" \ && success=1 \ @@ -1454,7 +1454,7 @@ docker-publish: skopeo copy ${TRACE+--debug} --src-authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --dest-authfile "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json" ${DOCKER_PUBLISH_ARGS} "docker://${snapshot_repository}:${sha}.att" "docker://${release_repository}:${sha}.att" \ && success=1 \ || log_warn "No attestation found for ${sha}" - done + done < <(echo "$all_digests" | tr ':' '-' | sed '/^[ \t]*$/d') if [[ $success -eq 0 ]] then fail "No signature or attestation could be copied" -- GitLab