From c8be08fb2064d55388728edc4833a0c6ae7591b7 Mon Sep 17 00:00:00 2001
From: Predrag Rogic <prezha@users.noreply.github.com>
Date: Mon, 17 Jun 2024 12:50:36 +0100
Subject: [PATCH] use image digest

---
 hooks/post-command | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/hooks/post-command b/hooks/post-command
index 836521e..bc49f1a 100755
--- a/hooks/post-command
+++ b/hooks/post-command
@@ -57,6 +57,22 @@ cosign_keyless() {
     local oidc_issuer=${BUILDKITE_PLUGIN_COSIGN_KEYLESS_CONFIG_OIDC_ISSUER}
     local oidc_provider=${BUILDKITE_PLUGIN_COSIGN_KEYLESS_CONFIG_OIDC_PROVIDER:-"buildkite-agent"}
 
+    # if the supplied image reference does not contain a digest, try getting the local image digest to use it instead
+    if [[ $image != *"@sha256:"* ]]; then
+        echo "--- :key: Getting the local image digest"
+
+        local digest
+        digest=$(docker inspect --format='{{index .RepoDigests 0}}' "${image}")
+
+        status=$?
+        if [[ $status -ne 0 ]]; then
+            display_error "docker inspect" "Failed to get the local image digest, will continue using supplied image reference ${image}"
+        else
+            display_success "docker inspect" "Got the local image digest, will continue using ${digest}"
+            image="${digest}"
+        fi
+    fi
+
     echo "--- :key: Cosign keyless signing"
 
     rm -f out.sig