Onboard Score project into Docker-Sponsored Open Source Program

content/blog/docker-sponsored-open-source-program/index.md

@@ -26,11 +26,11 @@ The program grants the following perks to eligible projects:
 
 ## Docker Hub
 
-**Before:** Score is publishing four containers: three for the CLIs of [`score-compose`](https://github.com/score-spec/score-compose), [`score-k8s`](https://github.com/score-spec/score-k8s) and [`score-radius`](https://github.com/score-spec/score-radius); and the [`sample-score-app`](https://github.com/score-spec/sample-score-app) for demos and testing. We used to publish them in GitHub Container Registry [here](https://github.com/orgs/score-spec/packages).
+**Before:** Score is publishing five containers: four for the CLIs of [`score-compose`](https://github.com/score-spec/score-compose), [`score-k8s`](https://github.com/score-spec/score-k8s), [`score-helm`](https://github.com/score-spec/score-helm) and [`score-radius`](https://github.com/score-spec/score-radius); and the [`sample-score-app`](https://github.com/score-spec/sample-score-app) for demos and testing. We used to publish them in GitHub Container Registry [here](https://github.com/orgs/score-spec/packages).
 
 **After:** Being part of the DSOS Program gives use the opportunity to publish them in Docker Hub, and gain more visibility and trust from the community.
 
-You can now find our four container images [in Docker Hub here](https://hub.docker.com/u/scorespec).
+You can now find our five container images [in Docker Hub here](https://hub.docker.com/u/scorespec).
 
 ![](docker-hub.jpg)
 
@@ -87,15 +87,15 @@ For example for the `score-radius` CLI (using [dhi.io/golang](https://dhi.io/cat
 
 ![](score-radius-dhi-diff.jpg)
 
-In the associated PR [here](https://github.com/score-spec/score-radius/pull/28), we can see that 22 packages were removed (package manager and shell included) and that 2 CVEs were removed:
+In the associated PR [here](https://github.com/score-spec/sample-score-app/pull/58), we can see that 0.3MB was saved for the size while keeping the same number of packages and still having 0 CVEs. We could have stayed with `debian` but we decided to move to an `alpine` base image (DHI provides the [two options](https://docs.docker.com/dhi/core-concepts/glibc-musl/)):
 
 ![](score-radius-dhi-scout-compare.jpg)
 
 Another example with the `sample-score-app` (using [dhi.io/node](https://dhi.io/catalog/node)), here are the updates needed on the `Dockerfile`:
 
 ![](score-sample-app-dhi-diff.jpg)
 
-In the associated PR [here](https://github.com/score-spec/sample-score-app/pull/58), we can see that 0.3MB was saved for the size while keeping the same number of packages and still having 0 CVEs. We could have stayed with `debian` but we decided to move to an `alpine` base image (DHI provides the [two options](https://docs.docker.com/dhi/core-concepts/glibc-musl/)):
+In the associated PR [here](https://github.com/score-spec/score-radius/pull/28), we can see that 22 packages were removed (package manager and shell included) and that 2 CVEs were removed:
 
 ![](score-sample-app-dhi-scout-compare.jpg)
 
@@ -192,12 +192,18 @@ This workflow provides a trusted BuildKit instance and generates signed SLSA-com
 We still get our container images signed by `cosign`. Anyone can verify the trusted signature like this:
 
 {{< highlight shell >}}
+TAG=latest
+PLATFORM=amd64
+SIGNED_DIGEST=$(crane manifest scorespec/score-compose:$TAG \
+    | jq -r --arg platformdigest \
+    "$(crane digest --platform linux/$PLATFORM scorespec/score-compose:$TAG)" \
+    '.manifests[] | select(.annotations["vnd.docker.reference.digest"] == $platformdigest) | .digest')
 cosign verify \
     --experimental-oci11 \
     --new-bundle-format \
     --certificate-oidc-issuer https://token.actions.githubusercontent.com \
     --certificate-identity-regexp ^https://github.com/docker/github-builder/.github/workflows/build.yml.*$ \
-    ghcr.io/score-spec/score-compose@sha256:8dc5be472c7b71d55284451fd37d95710b10b742a6d06b79a34d70131eaaa4b4
+    scorespec/score-compose@$SIGNED_DIGEST
 {{</ highlight >}}
 
 ## That's a wrap!