Merge pull request #940 from saschagrunert/digest

Include digest for normalized edges and bump to v4.0.4

Author: k8s-ci-robot

VERSION

@@ -1 +1 @@
-4.0.3
+4.0.4

cloudbuild.yaml

@@ -31,7 +31,7 @@ substitutions:
   # vYYYYMMDD-hash, and can be used as a substitution
   _GIT_TAG: '12345'
   _PULL_BASE_REF: 'dev'
-  _IMG_VERSION: 'v4.0.3-0'
+  _IMG_VERSION: 'v4.0.4-0'
 
 tags:
 - 'kpromo'

dependencies.yaml

@@ -1,7 +1,7 @@
 dependencies:
   # Release version
   - name: "repo release version"
-    version: 4.0.3
+    version: 4.0.4
     refPaths:
     - path: VERSION
 
@@ -57,7 +57,7 @@ dependencies:
       match: go \d+.\d+
 
   - name: "k8s.gcr.io/artifact-promoter/kpromo"
-    version: v4.0.3-0
+    version: v4.0.4-0
     refPaths:
     - path: cloudbuild.yaml
       match: "_IMG_VERSION: 'v((([0-9]+)\\.([0-9]+)\\.([0-9]+)(?:-([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?)(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?)-([0-9]+)'"

internal/promoter/image/sign.go

@@ -121,8 +121,12 @@ func (di *DefaultPromoterImplementation) SignImages(
 	// used at all and images would be signed with a wrong identity.
 	di.signer = sign.New(signOpts)
 
-	// We only sign the first normalized image of each edge.
-	sortedEdges := map[string][]reg.PromotionEdge{}
+	// We only sign the first normalized image per digest of each edge.
+	type key struct {
+		identity string
+		digest   image.Digest
+	}
+	sortedEdges := map[key][]reg.PromotionEdge{}
 	for edge := range edges {
 		// Skip signing the signature, sbom and attestation layers
 		if strings.HasSuffix(string(edge.DstImageTag.Tag), ".sig") ||
@@ -131,19 +135,19 @@ func (di *DefaultPromoterImplementation) SignImages(
 			continue
 		}
 
-		identity := targetIdentity(&edge)
-		if _, ok := sortedEdges[identity]; !ok {
-			sortedEdges[identity] = []reg.PromotionEdge{}
+		k := key{identity: targetIdentity(&edge), digest: edge.Digest}
+		if _, ok := sortedEdges[k]; !ok {
+			sortedEdges[k] = []reg.PromotionEdge{}
 		}
-		sortedEdges[identity] = append(sortedEdges[identity], edge)
+		sortedEdges[k] = append(sortedEdges[k], edge)
 	}
 
 	t := throttler.New(opts.MaxSignatureOps, len(sortedEdges))
 	// Sign the required edges
 	for d := range sortedEdges {
 		d := d
-		go func(identity string) {
-			t.Done(di.signAndReplicate(signOpts, identity, sortedEdges[identity]))
+		go func(k key) {
+			t.Done(di.signAndReplicate(signOpts, k.identity, sortedEdges[k]))
 		}(d)
 		if t.Throttle() > 0 {
 			break

workspace_status.sh

@@ -65,7 +65,7 @@ p_ IMG_REGISTRY gcr.io
 p_ IMG_REPOSITORY k8s-staging-artifact-promoter
 p_ IMG_NAME kpromo
 p_ IMG_TAG "${image_tag}"
-p_ IMG_VERSION v4.0.3-0
+p_ IMG_VERSION v4.0.4-0
 p_ TEST_AUDIT_PROD_IMG_REPOSITORY us.gcr.io/k8s-gcr-audit-test-prod
 p_ TEST_AUDIT_STAGING_IMG_REPOSITORY gcr.io/k8s-gcr-audit-test-prod
 p_ TEST_AUDIT_PROJECT_ID k8s-gcr-audit-test-prod