apko-publish action publishes funny tags?

[kastl-ars]

Description

I just built this image using the apko-publish action (which was painless and pleasant, so a big THANK YOU):

https://github.com/kastl-ars/wolfi-node-with-bash/pkgs/container/wolfi-node-with-bash

It seems to work properly, but I am not sure if the tags are what they should be:

sha256-98e61a83fe048008e8f3dd4e0fefd3368531f8175101b94294a29b3a77587ae9.sbom

I never saw tags including a sbom suffix, so I am a little puzzled. The image has a latest tag, which I defined in the configuration file I gave to apko.

(Not sure how GitHub picks the one it shows on top, i.e. the most prominent one that can by copy&pasted. I would prefer to have the simple latest up there, but that might not be in the action's power?)

Kind Regards, Johannes

[cpanato]

that is not funny tags the one you are seeing sha256-98e61a83fe048008e8f3dd4e0fefd3368531f8175101b94294a29b3a77587ae9.sbom is the SBOM for your code/app

and that matches the digest of your built container in the tag you used (in this case latest)

$ crane digest  ghcr.io/kastl-ars/wolfi-node-with-bash
sha256:63f8e48a5a96ad2d73f41285329bba9de75e6c71d89b40a42e3f3b70dd7de2f9

to you see your sbom you can use cosign to download it

$ cosign download sbom ghcr.io/kastl-ars/wolfi-node-with-bash
$ cosign download sbom  ghcr.io/kastl-ars/wolfi-node-with-bash
WARNING: SBOM attachments are deprecated and support will be removed in a Cosign release soon after 2024-02-22 (see https://github.com/sigstore/cosign/issues/2755). Instead, please use SBOM attestations.
WARNING: Downloading SBOMs this way does not ensure its authenticity. If you want to ensure a tamper-proof SBOM, download it using 'cosign download attestation <image uri>'.
Found SBOM of media type: text/spdx+json
{
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": "sbom-sha256:63f8e48a5a96ad2d73f41285329bba9de75e6c71d89b40a42e3f3b70dd7de2f9",
  "spdxVersion": "SPDX-2.3",
  "creationInfo": {
    "created": "2024-05-24T16:01:08Z",
    "creators": [
      "Tool: apko (v0.14.3)",
      "Organization: Chainguard, Inc"
    ],
    "licenseListVersion": "3.16"
  },
  "dataLicense": "CC0-1.0",
  "documentNamespace": "https://spdx.org/spdxdocs/apko/",
  "documentDescribes": [
    "SPDXRef-Package-sha256-63f8e48a5a96ad2d73f41285329bba9de75e6c71d89b40a42e3f3b70dd7de2f9"
  ],
...

[cpanato]

for your second question about GitHub, we cannot fix, this is in the GitHub side

i hope that clarify to you, i will close this issue

[kastl-ars]

Thanks for the explanation on the tags, I have not found anything on SBOM-related tags in a quick search, hence my question.

Can I somehow influence the listing of tags? Are you aware of any options?

[cpanato]

no, i think GitHub show the latest pushed image