From 8fb03ff1568a9ca5639d6eac934bcc316079ac3a Mon Sep 17 00:00:00 2001
From: "Jose I. Paris" <jiparis@chainloop.dev>
Date: Thu, 23 Jan 2025 19:00:03 +0100
Subject: [PATCH] feat(releases): exclude latest tag (#1753)

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
---
 .github/workflows/build_and_package.yaml | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build_and_package.yaml b/.github/workflows/build_and_package.yaml
index 604dd7def..f4721aade 100644
--- a/.github/workflows/build_and_package.yaml
+++ b/.github/workflows/build_and_package.yaml
@@ -103,10 +103,13 @@ jobs:
           # goreleaser output resides in dist/artifacts.json
           # Attest all built containers and manifests
           images=$(cat dist/artifacts.json | jq -r '.[] | select(.type=="Docker Image" or .type=="Docker Manifest") | .path')
-          for entry in $images; do  
-            syft -o cyclonedx-json=/tmp/sbom.cyclonedx.json $entry
-            chainloop attestation add --value $entry --kind CONTAINER_IMAGE --attestation-id ${{ env.ATTESTATION_ID }}
-            chainloop attestation add --value /tmp/sbom.cyclonedx.json --attestation-id ${{ env.ATTESTATION_ID }}
+          for entry in $images; do
+            # exclude latest tag
+            if [[ $entry != *latest ]]; then
+              syft -o cyclonedx-json=/tmp/sbom.cyclonedx.json $entry
+              chainloop attestation add --value $entry --kind CONTAINER_IMAGE --attestation-id ${{ env.ATTESTATION_ID }}
+              chainloop attestation add --value /tmp/sbom.cyclonedx.json --attestation-id ${{ env.ATTESTATION_ID }}
+            fi
           done
 
       - name: Bump Chart and Dagger Version