From 646670e19ad5e9dfd60644f412ffbd5ebfd0118a Mon Sep 17 00:00:00 2001
From: David <dgx.arnold@gmail.com>
Date: Tue, 6 Aug 2024 12:06:34 +0200
Subject: [PATCH 1/5] feat: add subject & digest for provenance attestation

```yaml
  - name: Generate artifact attestation
    uses: actions/attest-build-provenance@v1
    with:
      subject-name: ${{ steps.publish.outputs.name }}
      subject-digest: ${{ steps.publish.outputs.digest }}
      push-to-registry: true
```
---
 src/std/fwlib/blockTypes/containers.nix | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/std/fwlib/blockTypes/containers.nix b/src/std/fwlib/blockTypes/containers.nix
index 7bdcb043..4098f368 100644
--- a/src/std/fwlib/blockTypes/containers.nix
+++ b/src/std/fwlib/blockTypes/containers.nix
@@ -63,6 +63,15 @@ in
       (mkCommand currentSystem "publish" "copy the image to its remote registry" [skopeo-nix2container] ''
           ${copyFn}
           copy docker://${target.image.repo}
+
+          # Get the digest of the published image
+          DIGEST=$(skopeo inspect --raw docker://${target.image.repo}:${builtins.head target.image.tags} | jq -r '.manifests[0].digest')
+
+          # Conditionally output the name and digest for GitHub Actions
+          if [ -n "$GITHUB_OUTPUT" ]; then
+            echo "name=${target.image.repo}" >> "$GITHUB_OUTPUT"
+            echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
+          fi
         '' {
           meta.image = target.image.name;
           inherit proviso;

From ccdd809017dcd656bd6bc49ed2d40717334dbd8e Mon Sep 17 00:00:00 2001
From: David <dgx.arnold@gmail.com>
Date: Tue, 6 Aug 2024 13:04:24 +0200
Subject: [PATCH 2/5] wip: debug

---
 src/std/fwlib/blockTypes/containers.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/std/fwlib/blockTypes/containers.nix b/src/std/fwlib/blockTypes/containers.nix
index 4098f368..681d9de5 100644
--- a/src/std/fwlib/blockTypes/containers.nix
+++ b/src/std/fwlib/blockTypes/containers.nix
@@ -67,9 +67,14 @@ in
           # Get the digest of the published image
           DIGEST=$(skopeo inspect --raw docker://${target.image.repo}:${builtins.head target.image.tags} | jq -r '.manifests[0].digest')
 
+          echo "$DIGEST"
+          echo "$GITHUB_OUTPUT"
+
           # Conditionally output the name and digest for GitHub Actions
           if [ -n "$GITHUB_OUTPUT" ]; then
+            echo "name=${target.image.repo}"
             echo "name=${target.image.repo}" >> "$GITHUB_OUTPUT"
+            echo "digest=$DIGEST"
             echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
           fi
         '' {

From b4b4ed72ee7a9749de16713c1b388da9fd75b107 Mon Sep 17 00:00:00 2001
From: David <dgx.arnold@gmail.com>
Date: Tue, 6 Aug 2024 14:30:20 +0200
Subject: [PATCH 3/5] fix: tada

---
 src/std/fwlib/blockTypes/containers.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/std/fwlib/blockTypes/containers.nix b/src/std/fwlib/blockTypes/containers.nix
index 681d9de5..92163d87 100644
--- a/src/std/fwlib/blockTypes/containers.nix
+++ b/src/std/fwlib/blockTypes/containers.nix
@@ -65,7 +65,7 @@ in
           copy docker://${target.image.repo}
 
           # Get the digest of the published image
-          DIGEST=$(skopeo inspect --raw docker://${target.image.repo}:${builtins.head target.image.tags} | jq -r '.manifests[0].digest')
+          DIGEST=$(skopeo inspect --raw docker://${target.image.repo}:${builtins.head target.image.tags} | jq -r '.config.digest')
 
           echo "$DIGEST"
           echo "$GITHUB_OUTPUT"

From c5c1afe98d36fa219c60a4eaa9a618cb3af87f6a Mon Sep 17 00:00:00 2001
From: David <dgx.arnold@gmail.com>
Date: Tue, 6 Aug 2024 15:51:05 +0200
Subject: [PATCH 4/5] wip: out json

---
 src/std/fwlib/blockTypes/containers.nix | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/src/std/fwlib/blockTypes/containers.nix b/src/std/fwlib/blockTypes/containers.nix
index 92163d87..a6cde109 100644
--- a/src/std/fwlib/blockTypes/containers.nix
+++ b/src/std/fwlib/blockTypes/containers.nix
@@ -72,10 +72,7 @@ in
 
           # Conditionally output the name and digest for GitHub Actions
           if [ -n "$GITHUB_OUTPUT" ]; then
-            echo "name=${target.image.repo}"
-            echo "name=${target.image.repo}" >> "$GITHUB_OUTPUT"
-            echo "digest=$DIGEST"
-            echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
+            echo 'out={"name": "${target.image.repo}", "digest": "'$DIGEST'"}' >> "$GITHUB_OUTPUT"
           fi
         '' {
           meta.image = target.image.name;

From fce7c6da797247b9222be5fb1ce17fdc2b9a350e Mon Sep 17 00:00:00 2001
From: David <dgx.arnold@gmail.com>
Date: Tue, 6 Aug 2024 16:44:19 +0200
Subject: [PATCH 5/5] wip: iterate

---
 src/std/fwlib/blockTypes/containers.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/std/fwlib/blockTypes/containers.nix b/src/std/fwlib/blockTypes/containers.nix
index a6cde109..2caf636b 100644
--- a/src/std/fwlib/blockTypes/containers.nix
+++ b/src/std/fwlib/blockTypes/containers.nix
@@ -72,7 +72,7 @@ in
 
           # Conditionally output the name and digest for GitHub Actions
           if [ -n "$GITHUB_OUTPUT" ]; then
-            echo 'out={"name": "${target.image.repo}", "digest": "'$DIGEST'"}' >> "$GITHUB_OUTPUT"
+            echo 'out={"name": "${target.image.repo}", "digest": "'"$DIGEST"'"}' >> "$GITHUB_OUTPUT"
           fi
         '' {
           meta.image = target.image.name;