pass args by array, tighten regex used in verification

bobcallaway · bobcallaway · commit 42f641f0e59c · 2025-12-13T10:18:47.000-05:00
Signed-off-by: Bob Callaway &lt;bob.callaway@gmail.com&gt;
diff --git a/.github/workflows/bake.yml b/.github/workflows/bake.yml
@@ -577,18 +577,21 @@ jobs:
             });
             
             const verifyResults = await sigstore.verifySignedManifests(
-              { certificateIdentityRegexp: `^https://github.com/docker/github-builder-experimental/.github/workflows/bake.yml.*$` },
+              { certificateIdentityRegexp: `^https://github\.com/docker/github-builder-experimental/\.github/workflows/bake\.yml@.*$` },
               signResults
             );
             
             await core.group(`Verify commands`, async () => {
               const verifyCommands = [];
               for (const [attestationRef, verifyResult] of Object.entries(verifyResults)) {
-                const cmd = `cosign ${verifyResult.cosignArgs.join(' ')} ${attestationRef}`;
-                core.info(cmd);
+                const cmd = {
+                  executable: 'cosign',
+                  args: [...verifyResult.cosignArgs, attestationRef]
+                };
+                core.info(`${cmd.executable} ${cmd.args.join(' ')}`);
                 verifyCommands.push(cmd);
               }
-              core.setOutput('verify-commands', verifyCommands.join('\n'));
+              core.setOutput('verify-commands', JSON.stringify(verifyCommands));
             });
       -
         name: Signing local artifacts
@@ -609,18 +612,21 @@ jobs:
             });
             
             const verifyResults = await sigstore.verifySignedArtifacts(
-              { certificateIdentityRegexp: `^https://github.com/docker/github-builder-experimental/.github/workflows/bake.yml.*$` },
+              { certificateIdentityRegexp: `^https://github\.com/docker/github-builder-experimental/\.github/workflows/bake\.yml@.*$` },
               signResults
             );
             
             await core.group(`Verify commands`, async () => {
               const verifyCommands = [];
               for (const [artifactPath, verifyResult] of Object.entries(verifyResults)) {
-                const cmd = `cosign ${verifyResult.cosignArgs.join(' ')} --bundle ${path.relative(inplocalExportDir, verifyResult.bundlePath)} ${path.relative(inplocalExportDir, artifactPath)}`;
-                core.info(cmd);
+                const cmd = {
+                  executable: 'cosign',
+                  args: [...verifyResult.cosignArgs, '--bundle', path.relative(inplocalExportDir, verifyResult.bundlePath), path.relative(inplocalExportDir, artifactPath)]
+                };
+                core.info(`cosign ${verifyResult.cosignArgs.join(' ')} --bundle ${path.relative(inplocalExportDir, verifyResult.bundlePath)} ${path.relative(inplocalExportDir, artifactPath)}`);
                 verifyCommands.push(cmd);
               }
-              core.setOutput('verify-commands', verifyCommands.join('\n'));
+              core.setOutput('verify-commands', JSON.stringify(verifyCommands));
             });
       -
         name: List local output
@@ -759,7 +765,8 @@ jobs:
             for (const key of Object.keys(inpBuildOutputs)) {
               const output = JSON.parse(inpBuildOutputs[key]);
               if (output.verifyCommands) {
-                verifyCommands.push(output.verifyCommands);
+                const commands = JSON.parse(output.verifyCommands);
+                verifyCommands.push(...commands);
               }
             }
-            core.setOutput('cosign-verify-commands', verifyCommands.join('\n'));
+            core.setOutput('cosign-verify-commands', JSON.stringify(verifyCommands));
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -471,18 +471,21 @@ jobs:
             });
             
             const verifyResults = await sigstore.verifySignedManifests(
-              { certificateIdentityRegexp: `^https://github.com/docker/github-builder-experimental/.github/workflows/build.yml.*$` },
+              { certificateIdentityRegexp: `^https://github\.com/docker/github-builder-experimental/\.github/workflows/build\.yml@.*$` },
               signResults
             );
             
             await core.group(`Verify commands`, async () => {
               const verifyCommands = [];
               for (const [attestationRef, verifyResult] of Object.entries(verifyResults)) {
-                const cmd = `cosign ${verifyResult.cosignArgs.join(' ')} ${attestationRef}`;
-                core.info(cmd);
+                const cmd = {
+                  executable: 'cosign',
+                  args: [...verifyResult.cosignArgs, attestationRef]
+                };
+                core.info(`${cmd.executable} ${cmd.args.join(' ')}`);
                 verifyCommands.push(cmd);
               }
-              core.setOutput('verify-commands', verifyCommands.join('\n'));
+              core.setOutput('verify-commands', JSON.stringify(verifyCommands));
             });
       -
         name: Signing local artifacts
@@ -503,18 +506,21 @@ jobs:
             });
             
             const verifyResults = await sigstore.verifySignedArtifacts(
-              { certificateIdentityRegexp: `^https://github.com/docker/github-builder-experimental/.github/workflows/build.yml.*$` },
+              { certificateIdentityRegexp: `^https://github\.com/docker/github-builder-experimental/\.github/workflows/build\.yml@.*$` },
               signResults
             );
             
             await core.group(`Verify commands`, async () => {
               const verifyCommands = [];
               for (const [artifactPath, verifyResult] of Object.entries(verifyResults)) {
-                const cmd = `cosign ${verifyResult.cosignArgs.join(' ')} --bundle ${path.relative(inplocalExportDir, verifyResult.bundlePath)} ${path.relative(inplocalExportDir, artifactPath)}`;
-                core.info(cmd);
+                const cmd = {
+                  executable: 'cosign',
+                  args: [...verifyResult.cosignArgs, '--bundle', path.relative(inplocalExportDir, verifyResult.bundlePath), path.relative(inplocalExportDir, artifactPath)]
+                };
+                core.info(`${cmd.executable} ${cmd.args.join(' ')}`);
                 verifyCommands.push(cmd);
               }
-              core.setOutput('verify-commands', verifyCommands.join('\n'));
+              core.setOutput('verify-commands', JSON.stringify(verifyCommands));
             });
       -
         name: List local output
@@ -652,7 +658,8 @@ jobs:
             for (const key of Object.keys(inpBuildOutputs)) {
               const output = JSON.parse(inpBuildOutputs[key]);
               if (output.verifyCommands) {
-                verifyCommands.push(output.verifyCommands);
+                const commands = JSON.parse(output.verifyCommands);
+                verifyCommands.push(...commands);
               }
             }
-            core.setOutput('cosign-verify-commands', verifyCommands.join('\n'));
+            core.setOutput('cosign-verify-commands', JSON.stringify(verifyCommands));
diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
@@ -64,6 +64,7 @@ jobs:
           INPUT_COSIGN-VERIFY-COMMANDS: ${{ steps.vars.outputs.cosign-verify-commands }}
         with:
           script: |
-            for (const cmd of core.getMultilineInput('cosign-verify-commands')) {
-              await exec.exec(cmd);
+            const commands = JSON.parse(core.getInput('cosign-verify-commands'));
+            for (const cmd of commands) {
+              await exec.exec(cmd.executable, cmd.args);
             }
