From 06d1f17ec38b42c1c823bac158e617b6933e9386 Mon Sep 17 00:00:00 2001
From: Karel Van Hecke <25814162+karelvanhecke@users.noreply.github.com>
Date: Wed, 12 Jun 2024 12:44:08 +0000
Subject: [PATCH] ci: fix ref extraction in scan workflow

---
 .github/workflows/scan.yml | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 09113b3..fac569e 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -74,10 +74,21 @@ jobs:
 
           image_no_tag=$(echo ${{ matrix.image }} | cut -f1 -d ':')
           commit=$(skopeo inspect docker://${image_no_tag}@${{ steps.verify.outputs.digest }} | jq -r '.Labels."org.opencontainers.image.revision"')
-          tag=refs/tags/v$(skopeo inspect docker://${image_no_tag}@${{ steps.verify.outputs.digest }} | jq -r '.Labels."org.opencontainers.image.version"')
+          ref=""
+
+          if [[ $image_no_tag == $RELEASE_IMAGE ]]
+          then
+            ref=refs/tags/v$(skopeo inspect docker://${image_no_tag}@${{ steps.verify.outputs.digest }} | jq -r '.Labels."org.opencontainers.image.version"')
+          elif [[ $image_no_tag == $CI_IMAGE ]]
+          then
+            ref=refs/heads/$(echo ${{ matrix.image }} | cut -f2 -d ':')
+          else
+            echo "Failed to obtain ref"
+            exit 1
+          fi
 
           echo "commit=$commit" >> "$GITHUB_OUTPUT"
-          echo "tag=$tag" >> "$GITHUB_OUTPUT"
+          echo "ref=$ref" >> "$GITHUB_OUTPUT"
 
       - name: Verify attestation and extract SBOM
         run: |
@@ -101,5 +112,5 @@ jobs:
         uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}
-          ref: ${{ steps.metadata.outputs.tag }}
+          ref: ${{ steps.metadata.outputs.ref }}
           sha: ${{ steps.metadata.outputs.commit }}