Support `subject-digest` with multiple entries (comma separator or line separator)

[v1v]

I want to generate the build provenance for a multi-arch container image. Rather than using the docker build GitHub action in conjunction with the metadata-action, I use goreleaser.

Unfortunately, I cannot pass a multiline subject-digest but must run the same step as many container images are created.

For instance:

    - name: generate build provenance (binaries)
      uses: github-early-access/generate-build-provenance@main
      with:
        subject-path: "${{ github.workspace }}/tools/my-cli/dist/*.*"

    - name: container image digest
      id: image
      run: |
        set -euo pipefail
        # Gather the container image generated with goreleaser
        image=$(jq -r '.[] | select (.type=="Docker Image") | .path' tools/my-cli/dist/artifacts.json | cut -d':' -f1 | uniq )
        # Fetch the digest for the container image (amd64 and arm64)
        digest_1=$(docker images --format "{{.Digest}}" --no-trunc $image | sed -n 1p)
        digest_2=$(docker images --format "{{.Digest}}" --no-trunc $image | sed -n 2p)
        echo "name=$image" >> "$GITHUB_OUTPUT"
        echo "digest_1=$digest_1" >> "$GITHUB_OUTPUT"
        echo "digest_2=$digest_2" >> "$GITHUB_OUTPUT"

    - name: generate build provenance (containers ARM64)
      uses: github-early-access/generate-build-provenance@main
      with:
        subject-name: ${{ steps.image.outputs.name }}
        subject-digest: ${{ steps.image.outputs.digest_1 }}

    - name: generate build provenance (containers AMD64)
      uses: github-early-access/generate-build-provenance@main
      with:
        subject-name: ${{ steps.image.outputs.name }}
        subject-digest: ${{ steps.image.outputs.digest_2 }}

While I'd like to do something like:

    - name: generate build provenance (binaries)
      uses: github-early-access/generate-build-provenance@main
      with:
        subject-path: "${{ github.workspace }}/tools/my-cli/dist/*.*"

    - name: container image digest
      id: image
      run: |
        set -euo pipefail
        # Gather the container image generated with goreleaser
        image=$(jq -r '.[] | select (.type=="Docker Image") | .path' tools/my-cli/dist/artifacts.json | cut -d':' -f1 | uniq )
        # Fetch the digest for the container image (amd64 and arm64)
        digests=$(docker images --format "{{.Digest}}" --no-trunc $image)
        echo "name=$image" >> "$GITHUB_OUTPUT"
        echo "digests=$digests" >> "$GITHUB_OUTPUT"

    - name: generate build provenance (containers)
      uses: github-early-access/generate-build-provenance@main
      with:
        subject-name: ${{ steps.image.outputs.name }}
        subject-digests: ${{ steps.image.outputs.digests }}

if subject-digests could be a new input, or subject-digest could support a multiline value.

[bdehamer]

For this use case, would it make sense to generate the provenance attestation for the multi-arch image itself instead of the arch-specific images individually?

The multi-arch image typically has its own digest that points to an index manifest with references to all of the arch-specific variants.

[v1v]

For this use case, would it make sense to generate the provenance attestation for the multi-arch image itself instead of the arch-specific images individually?

That's a possibility, but I somehow think providing a multiple-entry approach could fit some other cases where using a multi-arch image is not needed.