From 407e75f0b1ce57f7a7989247cb0a3ef435c04fe6 Mon Sep 17 00:00:00 2001
From: Dan Lorenc <dlorenc@google.com>
Date: Fri, 20 Aug 2021 13:09:29 -0500
Subject: [PATCH] Only upload to the tlog once!

Signed-off-by: Dan Lorenc <dlorenc@google.com>
---
 pkg/chains/rekor.go      | 5 +++++
 pkg/chains/rekor_test.go | 9 +++++++++
 2 files changed, 14 insertions(+)

diff --git a/pkg/chains/rekor.go b/pkg/chains/rekor.go
index 0c65bfa508..62ffe233ca 100644
--- a/pkg/chains/rekor.go
+++ b/pkg/chains/rekor.go
@@ -89,6 +89,11 @@ func shouldUploadTlog(cfg config.Config, tr *v1beta1.TaskRun) bool {
 	if !cfg.Transparency.VerifyAnnotation {
 		return true
 	}
+
+	// Already uploaded, don't do it again
+	if _, ok := tr.Annotations[ChainsTransparencyAnnotation]; ok {
+		return false
+	}
 	// verify the annotation
 	for k, v := range tr.Annotations {
 		if k == RekorAnnotation && v == "true" {
diff --git a/pkg/chains/rekor_test.go b/pkg/chains/rekor_test.go
index 4ba0fdb581..f236249821 100644
--- a/pkg/chains/rekor_test.go
+++ b/pkg/chains/rekor_test.go
@@ -63,6 +63,15 @@ func TestShouldUploadTlog(t *testing.T) {
 			annotations: map[string]string{RekorAnnotation: "true"},
 			expected:    true,
 		},
+		{
+			description: "already uploaded",
+			cfg: config.TransparencyConfig{
+				Enabled:          true,
+				VerifyAnnotation: true,
+			},
+			annotations: map[string]string{ChainsTransparencyAnnotation: "foo"},
+			expected:    false,
+		},
 	}
 
 	for _, test := range tests {