-
Notifications
You must be signed in to change notification settings - Fork 174
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Build and sign container images on new tags #1017
base: main
Are you sure you want to change the base?
Conversation
87a65ce
to
178364e
Compare
ℹ️ One of the things that isn't clear yet is why the attestations show up as It seems related to the Reference Types effort effort which might not be implemented by the GHCR. |
In order to get the attestation from the container registry, one need to do a few HTTP requests. We found these do be hard to put together, so here is a summary of the calls we had to do (testing on my personal user in order to have the container be public):
Variable definitions:
Authentication:
These calls have been put together in a small script I wrote to download the attestations from a container registry for a specific tag. |
While trying to build our own attestations (without using the GHA), we've been puzzled by how the container registry was populated in different ways. It turns out that attestations are different from plain signatures:
What's been complex to understand is that cosign, in their documentation, points us to use (the attest-build-provenance this PR has been using uses the Cosign Bundle Specification) |
This pull request introduces a new workflow to automate the release and signature (via sigstore) of container images. The workflow listens for new tags, builds a container image, signs it, and uploads it to the container registry.
Here is a list of the produced assets:
Verifying the validity of the attestation can be done with the following commands:
We should be able to also do it using sigstore-python and raw HTTP calls, but because the main goal here is to see how it works, I stopped there.
Related to #745