Fix: Update docker image digest retrieval in release script

Signed-off-by: Kevin Sandi <ksandi@contractor.linuxfoundation.org>
Change-Id: Iec1ec1df10623075c1121b88977570899cbfbd83

diff --git a/releasenotes/notes/fix-release-script-75eed2c6dfb2b66e.yaml b/releasenotes/notes/fix-release-script-75eed2c6dfb2b66e.yaml
new file mode 100644 (file)
index 0000000..29ec437
--- /dev/null
+++ b/releasenotes/notes/fix-release-script-75eed2c6dfb2b66e.yaml
@@ -0,0 +1,9 @@
+---
+fixes:
+  - |
+    Updates the command to retrieve the correct digest sha256 of a docker image
+    after it has been pushed to a container registry in the release script.
+    Previously, the script was incorrectly attempting to get the sha256 from
+    the local docker images, which does not provide the correct digest needed
+    for signing the image with cosign. The fix uses `docker inspect` to get
+    the digest from the pushed image in the registry.

diff --git a/shell/release-job.sh b/shell/release-job.sh
index e01d3a9..f800fd7 100644 (file)
--- a/shell/release-job.sh
+++ b/shell/release-job.sh
@@ -449,9 +449,8 @@ container_release_file(){
                 export COSIGN_PASSWORD
                 docker tag "$container_image_id" "$CONTAINER_PUSH_REGISTRY"/"$lfn_umbrella"/"$name":"$VERSION"
                 docker push "$CONTAINER_PUSH_REGISTRY"/"$lfn_umbrella"/"$name":"$VERSION"
-                image_sha=$(docker images --no-trunc --quiet \
+                image_digest=$(docker inspect --format='{{index .RepoDigests 0}}' \
                         "$CONTAINER_PUSH_REGISTRY"/"$lfn_umbrella"/"$name":"$VERSION")
-                image_digest="$CONTAINER_PUSH_REGISTRY/$lfn_umbrella/$name@$image_sha"
                 cosign sign -y --key "$COSIGN_PRIVATE_KEY" "$image_digest"
             fi
             echo "#########################"