feat(attestation): add tag to container image attestation (chainloop-…

…dev#747)

Signed-off-by: Miguel Martinez Trivino <[email protected]>

internal/attestation/crafter/api/attestation/v1/crafting_state.proto

@@ -62,6 +62,8 @@ message Attestation {
       string name = 2 [(buf.validate.field).string.min_len = 1];
       string digest = 3 [(buf.validate.field).string.min_len = 1];
       bool is_subject = 4;
+      // provided tag
+      string tag = 5;
     }
 
     message Artifact {

internal/attestation/crafter/materials/oci_image.go

@@ -1,5 +1,5 @@
 //
-// Copyright 2023 The Chainloop Authors.
+// Copyright 2024 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -65,6 +65,7 @@ func (i *OCIImageCrafter) Craft(_ context.Context, imageRef string) (*api.Attest
 		M: &api.Attestation_Material_ContainerImage_{
 			ContainerImage: &api.Attestation_Material_ContainerImage{
 				Id: i.input.Name, Name: repoName, Digest: remoteRef.DigestStr(), IsSubject: i.input.Output,
+				Tag: ref.Identifier(),
 			},
 		},
 	}, nil

internal/attestation/renderer/chainloop/chainloop.go

@@ -1,5 +1,5 @@
 //
-// Copyright 2023 The Chainloop Authors.
+// Copyright 2024 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -219,6 +219,7 @@ var (
 	AnnotationMaterialName      = prefixed("material.name")
 	AnnotationMaterialCAS       = prefixed("material.cas")
 	annotationMaterialInlineCAS = prefixed("material.cas.inline")
+	annotationContainerTag      = prefixed("material.image.tag")
 )
 
 func prefixed(name string) string {

internal/attestation/renderer/chainloop/testdata/attestation.output-2.v0.2.json

@@ -4,7 +4,7 @@
     {
       "name": "chainloop.workflow.test-new-types",
       "digest": {
-        "sha256": "524b370dd444326d8150f5a8176bd4d57bb2052a1b77471d1fcb9fcc0983c958"
+        "sha256": "f468a33a5a4ae153c1c50949b771b6dd9034f663bf00a5fdfbef73f03886a8e1"
       }
     },
     {
@@ -31,6 +31,7 @@
         "sha256": "fbd9335f55d83d8aaf9ab1a539b0f2a87b444e8c54f34c9a1ca9d7df15605db4"
       },
       "annotations": {
+        "chainloop.material.image.tag": "devel",
         "chainloop.material.name": "image",
         "chainloop.material.type": "CONTAINER_IMAGE"
       }
@@ -45,6 +46,7 @@
     "materials": [
       {
         "annotations": {
+          "chainloop.material.image.tag": "devel",
           "chainloop.material.name": "image",
           "chainloop.material.type": "CONTAINER_IMAGE"
         },

internal/attestation/renderer/chainloop/testdata/attestation.source-2.json

@@ -42,7 +42,8 @@
           "id": "image",
           "name": "index.docker.io/bitnami/nginx",
           "digest": "sha256:fbd9335f55d83d8aaf9ab1a539b0f2a87b444e8c54f34c9a1ca9d7df15605db4",
-          "isSubject": true
+          "isSubject": true,
+          "tag": "devel"
         },
         "addedAt": "2023-10-20T12:57:52.459112368Z",
         "materialType": "CONTAINER_IMAGE"

internal/attestation/renderer/chainloop/v02.go

@@ -1,5 +1,5 @@
 //
-// Copyright 2023 The Chainloop Authors.
+// Copyright 2024 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -213,6 +213,13 @@ func outputMaterials(att *v1.Attestation, onlyOutput bool) ([]*intoto.ResourceDe
 			AnnotationMaterialName: mdefName,
 		}
 
+		// Set the special annotations for container images
+		if artifactType == schemaapi.CraftingSchema_Material_CONTAINER_IMAGE {
+			if tag := mdef.GetContainerImage().GetTag(); tag != "" {
+				annotationsM[annotationContainerTag] = tag
+			}
+		}
+
 		// Custom annotations, it does not override the built-in ones
 		for k, v := range mdef.Annotations {
 			_, ok := annotationsM[k]