chore: add more comments and error handling

Author: mchmarny

.github/actions/sbom-and-attest/action.yml

@@ -25,6 +25,10 @@ inputs:
   registry_password:
     description: 'Registry password for authentication'
     required: true
+  crane_version:
+    description: 'Version of crane to install (default: v0.20.2)'
+    required: false
+    default: 'v0.20.2'
 
 runs:
   using: 'composite'
@@ -68,9 +72,8 @@ runs:
       shell: bash
       run: |
         if ! command -v crane &> /dev/null; then
-          echo "Installing crane..."
-          CRANE_VERSION="v0.20.2"
-          curl -sL "https://github.com/google/go-containerregistry/releases/download/${CRANE_VERSION}/go-containerregistry_Linux_x86_64.tar.gz" | tar -xz crane
+          echo "Installing crane ${{ inputs.crane_version }}..."
+          curl -sL "https://github.com/google/go-containerregistry/releases/download/${{ inputs.crane_version }}/go-containerregistry_Linux_x86_64.tar.gz" | tar -xz crane
           sudo mv crane /usr/local/bin/crane
           sudo chmod +x /usr/local/bin/crane
         fi
@@ -98,14 +101,14 @@ runs:
           PLATFORM_DIGESTS=$(crane manifest "$IMAGE_REF" | \
             jq -r '.manifests[] | select((.annotations."vnd.docker.reference.type" // "") != "attestation-manifest") | .digest')
           
-          for DIGEST in $PLATFORM_DIGESTS; do
+          while IFS= read -r DIGEST; do
             echo "Attesting ${{ inputs.image_name }}@${DIGEST}"
             cosign attest \
               --yes \
               --predicate "$SBOM_FILE" \
               --type cyclonedx \
               "${{ inputs.image_name }}@${DIGEST}"
-          done
+          done <<< "$PLATFORM_DIGESTS"
         else
           # Single-platform: attest directly
           echo "Attesting $IMAGE_REF"

scripts/verify-image-attestations.sh

@@ -36,6 +36,8 @@
 
 set -euo pipefail
 
+
+
 # Color codes for output
 RED='\033[0;31m'
 GREEN='\033[0;32m'
@@ -203,22 +205,29 @@ verify_cosign_attestation() {
     media_type=$(echo "$index_manifest" | jq -r '.mediaType')
 
     if [[ "$media_type" == "application/vnd.oci.image.index.v1+json" ]]; then
-        # Get the first attestation manifest digest from the index
-        local att_digest
-        att_digest=$(echo "$index_manifest" | jq -r '.manifests[0].digest')
+        # Get all attestation manifest digests from the index
+        local att_digests
+        att_digests=$(echo "$index_manifest" | jq -r '.manifests[].digest')
 
-        if [ -z "$att_digest" ] || [ "$att_digest" == "null" ]; then
+        if [ -z "$att_digests" ]; then
             return 1
         fi
 
-        # Check the actual attestation manifest for Sigstore bundle
-        local att_manifest
-        att_manifest=$(crane manifest "${image_name}@${att_digest}" 2>/dev/null || echo "")
-        
-        # Verify it contains Sigstore bundle layers
-        if echo "$att_manifest" | jq -e '.layers[].mediaType | select(. == "application/vnd.dev.sigstore.bundle.v0.3+json")' &>/dev/null; then
-            return 0
-        fi
+        # Check if any attestation manifest contains Sigstore bundle
+        # (there may be multiple attestations from different runs)
+        while IFS= read -r att_digest; do
+            if [ -z "$att_digest" ] || [ "$att_digest" == "null" ]; then
+                continue
+            fi
+            
+            local att_manifest
+            att_manifest=$(crane manifest "${image_name}@${att_digest}" 2>/dev/null || echo "")
+            
+            # Verify it contains Sigstore bundle layers
+            if echo "$att_manifest" | jq -e '.layers[].mediaType | select(. == "application/vnd.dev.sigstore.bundle.v0.3+json")' &>/dev/null; then
+                return 0
+            fi
+        done <<< "$att_digests"
     fi
 
     return 1