Open v1v opened 4 months ago
For this use case, would it make sense to generate the provenance attestation for the multi-arch image itself instead of the arch-specific images individually?
The multi-arch image typically has its own digest that points to an index manifest with references to all of the arch-specific variants.
For this use case, would it make sense to generate the provenance attestation for the multi-arch image itself instead of the arch-specific images individually?
That's a possibility, but I somehow think providing a multiple-entry approach could fit some other cases where using a multi-arch
image is not needed.
I want to generate the build provenance for a multi-arch container image. Rather than using the docker build GitHub action in conjunction with the metadata-action, I use
goreleaser
.Unfortunately, I cannot pass a multiline
subject-digest
but must run the same step as many container images are created.For instance:
While I'd like to do something like:
if
subject-digests
could be a new input, orsubject-digest
could support a multiline value.