From 87df374949681e6c6c720b5e8fef78c1ae782385 Mon Sep 17 00:00:00 2001
From: Hal Blackburn <hwtb2@cam.ac.uk>
Date: Sat, 14 Sep 2024 07:15:30 +0000
Subject: [PATCH] fixup! wip: build(ci): test publish-dev-images.yml workflow

---
 .github/workflows/publish-dev-images.yml | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/publish-dev-images.yml b/.github/workflows/publish-dev-images.yml
index 40ba41e..83de21a 100644
--- a/.github/workflows/publish-dev-images.yml
+++ b/.github/workflows/publish-dev-images.yml
@@ -21,6 +21,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       packages: write
+      id-token: write # needed for signing the images with GitHub OIDC Token
 
     steps:
       - name: Checkout
@@ -66,10 +67,16 @@ jobs:
           BAKE_META: ${{ steps.bake.outputs.metadata }}
         run: |
           readarray -t image_refs < <(
-            jq <<<"${BAKE_META:?}" '
+            jq <<<"${BAKE_META:?}" -r '
               .[]
               | select(.["image.name"]? and .["containerimage.digest"]?)
-              | "\(.["image.name"])@\(.["containerimage.digest"])"
+              | (.["containerimage.digest"]) as $containerimage_digest
+              | (.["image.name"] | split(",")) as $image_names
+              | $image_names[] | "\(.)@\($containerimage_digest)"
             '
           )
-          cosign sign --yes ${image_refs:?}
+
+          echo "Images to sign:"
+          printf ' - %s\n' "${image_refs[@]}"
+
+          cosign sign --yes ${image_refs[@]:?}