From 5ddf5bf3b4532511f04a8ccede611debe0c02099 Mon Sep 17 00:00:00 2001
From: RJ Trujillo <eyecantcu@pm.me>
Date: Tue, 19 Dec 2023 06:33:58 -0700
Subject: [PATCH] feat(actions): Support passing multiple containers for
 verifcation/signing

Requires they use the same keys/certificate
---
 .github/workflows/test-actions.yml | 4 ++--
 sign/action.yml                    | 3 ++-
 verify/action.yml                  | 5 +++--
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/test-actions.yml b/.github/workflows/test-actions.yml
index 1d9f51d..7925507 100644
--- a/.github/workflows/test-actions.yml
+++ b/.github/workflows/test-actions.yml
@@ -114,7 +114,7 @@ jobs:
       - name: Sign image
         uses: ./sign
         with:
-          container: ghcr.io/${{ github.repository_owner }}/${{ matrix.image_name }}
+          containers: ghcr.io/${{ github.repository_owner }}/${{ matrix.image_name }}
           registry-token: ${{ secrets.GITHUB_TOKEN }}
           signing-secret: ${{ secrets.SIGNING_SECRET }}
           tags: ${{ steps.push.outputs.digest }}
@@ -122,7 +122,7 @@ jobs:
       - name: Verify image
         uses: ./verify
         with:
-          container: ghcr.io/${{ github.repository_owner }}/${{ matrix.image_name }}
+          containers: ghcr.io/${{ github.repository_owner }}/${{ matrix.image_name }}
           pubkey: ./cosign.pub
 
       - name: Echo outputs
diff --git a/sign/action.yml b/sign/action.yml
index 2f1e521..25b4fd6 100644
--- a/sign/action.yml
+++ b/sign/action.yml
@@ -41,8 +41,9 @@ runs:
     - name: Sign container image
       shell: bash
       run: |
-        cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.container_case.outputs.lowercase }}@${TAGS}
+        cosign sign -y --key env://COSIGN_PRIVATE_KEY @${CONTAINERS}@${TAGS}
       env:
+        CONTAINERS: ${{ steps.container_case.outputs.lowercase }}
         COSIGN_EXPERIMENTAL: false
         COSIGN_PRIVATE_KEY: ${{ inputs.signing-secret }}
         TAGS: ${{ inputs.tags }}
diff --git a/verify/action.yml b/verify/action.yml
index 8094d3d..839dd03 100644
--- a/verify/action.yml
+++ b/verify/action.yml
@@ -31,11 +31,12 @@ runs:
       shell: bash
       run: |
         if [[ -n "${{ inputs.pubkey }}" ]]; then
-          cosign verify --key ${{ inputs.pubkey }} ${{ steps.container_case.outputs.lowercase }}
+          cosign verify --key ${{ inputs.pubkey }} @${CONTAINERS}
         elif [[ -n "${{ inputs.cert-identity }}" && -n "${{ inputs.oidc-issuer }}" ]]; then
-          cosign verify ${{ steps.container_case.outputs.lowercase }} --certificate-identity=${{ inputs.cert-identity }} --certificate-oidc-issuer=${{ inputs.oidc-issuer }}
+          cosign verify --certificate-identity=${{ inputs.cert-identity }} --certificate-oidc-issuer=${{ inputs.oidc-issuer }} @${CONTAINERS}
         else
           exit 1
         fi
       env:
+        CONTAINERS: ${{ steps.container_case.outputs.lowercase }}
         COSIGN_EXPERIMENTAL: false