Generating provenance for a Docker image

[Marco Franssen]

I'm trying to implement provenance generation in this Github Action and am facing some issues.

After pushing images/tags to a registry I will know the image digest which I would like to capture as provenance.

As we are running our provenance in a separate job I would like to fetch all the pushed tags for a given digest to do some sanity checks before we create the provenance.

It seems there is no registry api available supporting this usecase.

See here the findings in our Github issue.

https://github.com/philips-labs/slsa-provenance-action/issues/73

Any thoughts on our approach?

Any ideas for different approaches?

I do have a workaround in mind that requires also providing the tags and repositories to the action to workaround the issue, but that looks less clean.