From: Kevin Sandi Date: Wed, 3 Dec 2025 09:13:04 +0000 (-0600) Subject: Fix: Update docker image digest retrieval in release script X-Git-Tag: v0.92.9^0 X-Git-Url: https://gerrit.linuxfoundation.org/infra/gitweb?a=commitdiff_plain;h=HEAD;p=releng%2Fglobal-jjb.git Fix: Update docker image digest retrieval in release script Signed-off-by: Kevin Sandi Change-Id: Iec1ec1df10623075c1121b88977570899cbfbd83 --- diff --git a/releasenotes/notes/fix-release-script-75eed2c6dfb2b66e.yaml b/releasenotes/notes/fix-release-script-75eed2c6dfb2b66e.yaml new file mode 100644 index 00000000..29ec4378 --- /dev/null +++ b/releasenotes/notes/fix-release-script-75eed2c6dfb2b66e.yaml @@ -0,0 +1,9 @@ +--- +fixes: + - | + Updates the command to retrieve the correct digest sha256 of a docker image + after it has been pushed to a container registry in the release script. + Previously, the script was incorrectly attempting to get the sha256 from + the local docker images, which does not provide the correct digest needed + for signing the image with cosign. The fix uses `docker inspect` to get + the digest from the pushed image in the registry. diff --git a/shell/release-job.sh b/shell/release-job.sh index e01d3a93..f800fd78 100644 --- a/shell/release-job.sh +++ b/shell/release-job.sh @@ -449,9 +449,8 @@ container_release_file(){ export COSIGN_PASSWORD docker tag "$container_image_id" "$CONTAINER_PUSH_REGISTRY"/"$lfn_umbrella"/"$name":"$VERSION" docker push "$CONTAINER_PUSH_REGISTRY"/"$lfn_umbrella"/"$name":"$VERSION" - image_sha=$(docker images --no-trunc --quiet \ + image_digest=$(docker inspect --format='{{index .RepoDigests 0}}' \ "$CONTAINER_PUSH_REGISTRY"/"$lfn_umbrella"/"$name":"$VERSION") - image_digest="$CONTAINER_PUSH_REGISTRY/$lfn_umbrella/$name@$image_sha" cosign sign -y --key "$COSIGN_PRIVATE_KEY" "$image_digest" fi echo "#########################"