Merge pull request #3 from nais/add_image_ref_check

feat(action): validate image ref and set output sbom

README.md

@@ -27,7 +27,7 @@ jobs:
       id: "build_push"
       ...
     - name: "Attest and sign"
-      uses: 'nais/attest-sign@v1.0.0'
+      uses: 'nais/attest-sign@v1.x.x'
       with:
         image_ref: ${{ env.registry }}/${{ env.image }}@${{ steps.build_push.outputs.digest }}
 ```

action.yml

@@ -5,14 +5,27 @@ branding:
   color: 'green'
 inputs:
   image_ref:
-    description: 'image ref, i.e. "europe-north1-docker.pkg.dev/nais-io/nais/images/canary-deployer@sha256:eac1f85bee008dfe4ca0eadd1f32256946a171b445d129dba8f00cc67d43582b"'
+    description: |
+      'form <image>@<digest>'
+      'image ref, i.e. "europe-north1-docker.pkg.dev/nais-io/nais/images/canary-deployer@sha256:eac1f85bee008dfe4ca0eadd1f32256946a171b445d129dba8f00cc67d43582b"'
     required: true
   sbom:
     description: 'existing SBOM in cyclonedx format'
     default: 'auto-generate-for-me-please.json'
+outputs:
+  sbom:
+    description: 'SBOM.json in cyclonedx format'
+    value: ${{ steps.set-outputs.outputs.SBOM }}
 runs:
   using: 'composite'
   steps:
+    - name: 'Validate image ref'
+      run: |
+        if [[ ${{ inputs.image_ref }} != *@sha256:* ]]; then
+          echo "Image must be in the form of <image>@<digest>"
+          exit 1
+        fi
+      shell: 'bash'
     - name: 'Install cosign'
       uses: 'sigstore/cosign-installer@dd6b2e2b610a11fd73dd187a43d57cc1394e35f9' # ratchet:sigstore/[email protected]
       with:
@@ -30,3 +43,8 @@ runs:
       run: |
         cosign sign --yes "${{ inputs.image_ref }}"
         cosign attest --yes --predicate "${{ inputs.sbom }}" --type cyclonedx "${{ inputs.image_ref }}"
+    - name: Set outputs
+      shell: bash
+      id: set-outputs
+      run: |
+        echo "SBOM=${{ inputs.sbom }}" >> $GITHUB_OUTPUT