How to access the built image sha #49
Comments
|
@dhensby How would you want to use this? an example would be helpful. |
|
So using something like notion you (ideally) want to get your hands on the raw image sha for signing. It's not much more than: The issue is that builds don't seem to have a predictable tag nor a way to get your hand on it so you can resolve the hash locally. Though, looking at the code - perhaps if I can set |
|
If there was a way to set this |
Not currently, but it wouldn't be difficult to add. Also, and I'll have to confirm, but I might just be able to mutate the |
|
Additionally as I'm working through it now, I'm not sure that would work if you were using buildx as the build + push happen in the same docker command and the images are not stored locally. it may not effect you, but something to think about. |
|
The images are available locally if the |
Yes. So nothing to worry about here, I'm just thinking out loud. |
|
Looking for something similar in order to take advantage of actions/attest-build-provenance in GitHub CI. Right now, this seems only to be possible by publishing the docker image using docker/build-push-action after semantic-release. |
|
How would you expect to get access to it? |
|
The final image sha, or the tag of an image? |
|
The signing programs can complain if you don't give the actual image sha, so that would be idea. |
I'm not sure either... echo "version=$(npm run env | grep npm_package_version | cut -d '=' -f 2)" >> $GITHUB_OUTPUTI can then reuse the new version in any of the following jobs. |
|
At the moment I use the Then I use that version to do the signing with Where $IMAGE is and env var constructed as so: Edit (for clarity): This causes notation to complain because it wants a sha instead - and that's what I'd like to be able to get my hands on somehow even if it means another |
|
Ah, I see. Thanks, that helps. I think mutating the release object could work. Provided semantic release isn't re-creating it for each plugin |
|
@dhensby @Th3S4mur41 The idea of just tacking something on to the plugin context doesn't seem feasible. The context appears to be sandboxed to a plugin. I can attach information and that is visible to that plugin's stages, but the context is missing that information from other plugins even at later stages. |
|
@dhensby @Th3S4mur41 |
There have been several requests to gain access or over ride the build id of the image so that the caller can control that and reference it later in a build process. Initial attempts to expose this information from the nextRelease property. Unfortunately, this object seems to be sandboxed, and additional information is not carried to other plugins. As an alternative, this adds basic support for github actions be setting output and environment variable that include the build id and image sha where possible fixes: #49
|
@dhensby @Th3S4mur41 take a look at #59 and let me know if this is helpful |
|
Thanks @esatterwhite this does looks promising and should solve my issue. |
There have been several requests to gain access or over ride the build id of the image so that the caller can control that and reference it later in a build process. Initial attempts to expose this information from the nextRelease property. Unfortunately, this object seems to be sandboxed, and additional information is not carried to other plugins. As an alternative, this adds basic support for github actions be setting output and environment variable that include the build id and image sha where possible fixes: #49
|
@esatterwhite Just tested it... Looking at the manifest, the
|
|
Interesting. What is the sha reported by |
|
The ID is the one returned in For the attestation, the sha from docker inspect ghcr.io/th3s4mur41/hw2energyid
[
{
"Id": "sha256:84d78f623c6ea36b8111fee0edc21df2979cdb0974788df6bd2ea94e15bc6d29",
"RepoTags": [
"ghcr.io/th3s4mur41/hw2energyid:latest"
],
"RepoDigests": [
"ghcr.io/th3s4mur41/hw2energyid@sha256:9efe6f2c9877cccdc7d91cc53a568e928fd87168cb71d85b288b2216578a7d10"
],
"Parent": "",
"Comment": "buildkit.dockerfile.v0",
"Created": "2025-01-02T11:13:50.735252468Z",
"Container": "",
"ContainerConfig": {
"Hostname": "",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": null,
"Cmd": null,
"Image": "",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": null,
"OnBuild": null,
"Labels": null
},
"DockerVersion": "",
"Author": "",
"Config": {
"Hostname": "",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"NODE_VERSION=22.12.0",
"YARN_VERSION=1.22.22",
"energyid=",
"p1=",
"meter="
],
"Cmd": [
"/bin/sh",
"-c",
"npx hw2energyid --energyid=${energyid} --meter=${meter} -r"
],
"ArgsEscaped": true,
"Image": "",
"Volumes": null,
"WorkingDir": "/app",
"Entrypoint": [
"docker-entrypoint.sh"
],
"OnBuild": null,
"Labels": null
},
"Architecture": "amd64",
"Os": "linux",
"Size": 425865537,
"VirtualSize": 425865537,
"GraphDriver": {
"Data": {
"LowerDir": "/var/lib/docker/overlay2/5184c99c1b04f292ffe2fdc096512cc87895809a24994e181cfbbfec6c8fa00a/diff:/var/lib/docker/overlay2/002e8890f0473177e09637e55d758ba07bf5916d580378539e51656ffe686340/diff:/var/lib/docker/overlay2/a0879996233c1a1964e82aab54dd5eeabe35134bc01b127cd8e61e190b53e516/diff:/var/lib/docker/overlay2/edb8cc4cd92c6613e028245be7ff2546e631d844a0315bdb21471d18faa177ea/diff:/var/lib/docker/overlay2/e05f26de2d2301087129bdea6f3b56d23a0cb109da5212b3246fd961ef0876ad/diff:/var/lib/docker/overlay2/10a8443be5f27a0b753abdbab7d993c5aec91788625badb29bb395ac83b8f8ee/diff:/var/lib/docker/overlay2/bfa7aa9463dc9ea97404f40caa7f50f7eef54e9eed28d227d8a9c26d4cc1f6ea/diff:/var/lib/docker/overlay2/550730c0948b6f69977ce11cc002a11f8c9296704ee27fe335f7d08d8dcfbe68/diff:/var/lib/docker/overlay2/7f3c72454c1871cf96982f063b7a241e1da231d50846640abc519dc58b2a91f1/diff:/var/lib/docker/overlay2/8873f576d4fb5548096290a1789bdb9c0ae8827f20b588f942722df2c4e1c530/diff",
"MergedDir": "/var/lib/docker/overlay2/27e80a7fd71f429a63bc1efabbd9504deb92861e1c0a39a45891958c32bb1615/merged",
"UpperDir": "/var/lib/docker/overlay2/27e80a7fd71f429a63bc1efabbd9504deb92861e1c0a39a45891958c32bb1615/diff",
"WorkDir": "/var/lib/docker/overlay2/27e80a7fd71f429a63bc1efabbd9504deb92861e1c0a39a45891958c32bb1615/work"
},
"Name": "overlay2"
},
"RootFS": {
"Type": "layers",
"Layers": [
"sha256:8b296f48696071aafb5a6286ca60d441a7e559b192fc7f94bb63ee93dae98f17",
"sha256:2978e8b93e850e57bcd042dae07529cc63a5c86ee67734a98d0e824f24065316",
"sha256:a6426a9bf417c58d5ba0cf60167becc42891cc011b37f37af53dd3c681a7c08d",
"sha256:a2171f1263ef56c78fc4a5d5e18df026b82821a968962204a236dbca102bdc2d",
"sha256:b77d99c4c05e0efa397eb96032db3efb9d5f4660f476dc8a4211d25a021776ac",
"sha256:bc6e99bef67af7103a35855b5c684f4eaae91196f889ddc81554938904b8a47c",
"sha256:1f404b0c262b6b8907365a418530440e98752e58e5e5507a4e30eaec3b98b3a6",
"sha256:ad4fc2c519bc7efb9e95ce409c62e5af86f34692e22e2993dbf731a97d5ad422",
"sha256:3eb25a9d57f8d36875e1e708dee07281e38684baef1e359177dd096a779e5834",
"sha256:91fee93709b72e68fc491281a387fd1259077f50a76febbf12ed6566bbfcd951",
"sha256:d4599d0ff2e40be18e11bb35e867c4916ed341db8f52799e9ec8261447efee29"
]
},
"Metadata": {
"LastTagTime": "0001-01-01T00:00:00Z"
}
}
]
Looking at the release logs in the job, both seem to be available:
|
|
Yes, its current looking for the pattern I think instead of trying to parse through all the output would be to try pull the manifest after the push and extra the appropriate hash values from the metadata. That would also work w/ |
I'm looking at implementing docker image signing as part of our release process. To do this, ideally we'd have access to the sha of the built image. Is there any way to expose this value so that it can be used in an
execstep or similar?The text was updated successfully, but these errors were encountered: