Skip to content

Commit b2f3da8

Browse files
fnandofnando
committed
List every published tag in release body.
1 parent 5a6cbcd commit b2f3da8

1 file changed

Lines changed: 10 additions & 5 deletions

File tree

scripts/release-body.sh

Lines changed: 10 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -91,14 +91,17 @@ emit_body() {
9191

9292
printf 'Stellar CLI image (SEP-58-compatible image for Stellar smart contracts).\n\n'
9393

94-
printf '## Convenience tags\n\n'
95-
printf -- '- `%s:%s` — multi-arch, default Rust for this release\n' "$registry" "$cli"
94+
printf '## Tags\n\n'
95+
printf 'Moving tags (re-pointed on each publish; do not use for SEP-58 `bldimg`):\n\n'
96+
printf -- '- `%s:latest` — newest declared cli, default Rust\n' "$registry"
97+
printf -- '- `%s:%s` — this cli, default Rust\n' "$registry" "$cli"
9698
local key ref
9799
ref="$(stellar_cli_ref_for "$cli")"
100+
printf '\nImmutable, pinned to stellar-cli `%s`:\n\n' "$ref"
98101
while IFS= read -r key; do
99-
printf -- '- `%s:%s-rust%s` — multi-arch\n' "$registry" "$cli" "$key"
100-
printf -- '- `%s:%s-%s-rust%s` — multi-arch, ref-pinned to stellar-cli `%s`\n' \
101-
"$registry" "$cli" "$ref" "$key" "$ref"
102+
printf -- '- `%s:%s-%s-rust%s` — multi-arch\n' "$registry" "$cli" "$ref" "$key"
103+
printf -- '- `%s:%s-%s-rust%s-amd64`\n' "$registry" "$cli" "$ref" "$key"
104+
printf -- '- `%s:%s-%s-rust%s-arm64`\n' "$registry" "$cli" "$ref" "$key"
102105
done < <(jq -r '
103106
map({key: .rust_base_key, ver: (.rust_version | split(".") | map(tonumber))})
104107
| unique_by(.key)
@@ -168,6 +171,8 @@ Each per-architecture image carries two independent attestation chains — SLSA
168171
- `cosign verify-attestation` — registry-attached verification with explicit certificate identity + OIDC issuer flags so trust is anchored to this repo's workflows, not just "any valid Sigstore signature".
169172
- `docker buildx imagetools inspect` — manifest + attached attestation metadata, useful for inspection (not signature verification).
170173
174+
Verification requires a per-architecture reference (digest or per-arch tag). Verifying against `:latest`, `:<cli>`, or the multi-arch list tag fails because those resolve to the manifest list digest, which isn't what the per-arch attestations were signed against.
175+
171176
## Assets
172177
173178
This release attaches one SBOM file (`.spdx.json`) and one provenance bundle (`.intoto.jsonl`) per per-architecture image.

0 commit comments

Comments
 (0)