ci: fix ref extraction in scan workflow

karelvanhecke · Jun 12, 2024 · 06d1f17 · 06d1f17
1 parent aa55c20
commit 06d1f17
Showing 1 changed file with 14 additions and 3 deletions.
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
@@ -74,10 +74,21 @@ jobs:
 
  image_no_tag=$(echo ${{ matrix.image }} | cut -f1 -d ':')
  commit=$(skopeo inspect docker://${image_no_tag}@${{ steps.verify.outputs.digest }} | jq -r '.Labels."org.opencontainers.image.revision"')
- tag=refs/tags/v$(skopeo inspect docker://${image_no_tag}@${{ steps.verify.outputs.digest }} | jq -r '.Labels."org.opencontainers.image.version"')
+ ref=""
+
+ if [[ $image_no_tag == $RELEASE_IMAGE ]]
+ then
+ ref=refs/tags/v$(skopeo inspect docker://${image_no_tag}@${{ steps.verify.outputs.digest }} | jq -r '.Labels."org.opencontainers.image.version"')
+ elif [[ $image_no_tag == $CI_IMAGE ]]
+ then
+ ref=refs/heads/$(echo ${{ matrix.image }} | cut -f2 -d ':')
+ else
+ echo "Failed to obtain ref"
+ exit 1
+ fi
 
  echo "commit=$commit" >> "$GITHUB_OUTPUT"
- echo "tag=$tag" >> "$GITHUB_OUTPUT"
+ echo "ref=$ref" >> "$GITHUB_OUTPUT"
 
  - name: Verify attestation and extract SBOM
  run: |
@@ -101,5 +112,5 @@ jobs:
  uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
  with:
  sarif_file: ${{ steps.scan.outputs.sarif }}
- ref: ${{ steps.metadata.outputs.tag }}
+ ref: ${{ steps.metadata.outputs.ref }}
  sha: ${{ steps.metadata.outputs.commit }}