Skip to content

Commit

Permalink
ci: add attestation to container images and SBOMs (#1789)
Browse files Browse the repository at this point in the history
Add in-toto attestation to base image ci workflows, for both
SBOMs and images themselves upon build and push. Allow necessary
permissions to attest (attestations, packages) on these workflows.

Signed-off-by: Arthur Savage <[email protected]>
  • Loading branch information
arthurus-rex authored Oct 23, 2024
1 parent eff2086 commit 8770bf5
Showing 1 changed file with 19 additions and 0 deletions.
19 changes: 19 additions & 0 deletions .github/workflows/image.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ jobs:
permissions:
contents: read
id-token: write
attestations: write
packages: write
strategy:
fail-fast: false
matrix:
Expand Down Expand Up @@ -96,6 +98,14 @@ jobs:
run: |
cosign sign -y quay.io/sustainable_computing_io/${{matrix.IMAGE_NAME}}:${{matrix.LABEL}}@${{ steps.build-push-image.outputs.digest }}
- name: Generate image attestation
if: ${{ (github.event_name == 'push' || github.event_name == 'workflow_dispatch')}}
uses: actions/attest-build-provenance@v1
with:
subject-name: quay.io/sustainable_computing_io/${{matrix.IMAGE_NAME}}
subject-digest: ${{ steps.build-push-image.outputs.digest }}
push-to-registry: ${{ inputs.pushImage }}

- name: Generate SBOM
uses: anchore/[email protected]
with:
Expand All @@ -110,3 +120,12 @@ jobs:
name: sbom-${{matrix.IMAGE_NAME}}-${{matrix.LABEL}}.spdx.json
path: ./sbom-${{matrix.IMAGE_NAME}}-${{matrix.LABEL}}.spdx.json
retention-days: 1

- name: Generate SBOM attestation
uses: actions/attest-sbom@v1
if: ${{ inputs.pushImage }}
with:
subject-name: quay.io/sustainable_computing_io/${{matrix.IMAGE_NAME}}
subject-digest: ${{ steps.build-push-image.outputs.digest }}
sbom-path: ./sbom-${{matrix.IMAGE_NAME}}-${{matrix.LABEL}}.spdx.json
push-to-registry: ${{ inputs.pushImage }}

0 comments on commit 8770bf5

Please sign in to comment.