From 54c79ae9fd5b13bda548f381593707cb830f1d6e Mon Sep 17 00:00:00 2001
From: Danil Grigorev <danil.grigorev@suse.com>
Date: Tue, 10 Sep 2024 19:07:38 +0200
Subject: [PATCH] Update generator_container_slsa3.yml

Signed-off-by: Danil Grigorev <danil.grigorev@suse.com>
---
 .github/workflows/generator_container_slsa3.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml
index 5ef7bcb1a3..b6fad55607 100644
--- a/.github/workflows/generator_container_slsa3.yml
+++ b/.github/workflows/generator_container_slsa3.yml
@@ -87,6 +87,11 @@ on:
         description: "If set, provenance is pushed to this registry instead of image registry."
         required: false
         type: string
+      recursive:
+        description: "If set, for the specified multi-arch image, additionally sign each discrete image."
+        required: false
+        type: boolean
+        default: false
     outputs:
       # Note: we use this output because there is no buildt-in `outcome` and `result` is always `success`
       # if `continue-on-error` is set to `true`.
@@ -268,6 +273,7 @@ jobs:
           GITHUB_CONTEXT: "${{ toJSON(github) }}"
           VARS_CONTEXT: "${{ toJSON(vars) }}"
           UNTRUSTED_PROVENANCE_REPOSITORY: "${{ inputs.provenance-repository }}"
+          RECURSIVE: "${{ inputs.recursive }}"
         run: |
           set -euo pipefail
 
@@ -283,6 +289,7 @@ jobs:
           cosign attest --predicate="$predicate_name" \
             --type slsaprovenance \
             --yes \
+            --recursive="${RECURSIVE}" \
             "${UNTRUSTED_IMAGE}@${UNTRUSTED_DIGEST}"
 
       - name: Final outcome