Skip to content

Commit

Permalink
ci: add attestation to container images and SBOMs
Browse files Browse the repository at this point in the history
Add in-toto attestation to base image ci workflows, for both
SBOMs and images themselves upon build and push. Allow necessary
permissions to attest (attestations, packages) on these workflows.

Signed-off-by: Arthur Savage <[email protected]>
  • Loading branch information
arthurus-rex committed Oct 1, 2024
1 parent 8d4b3ae commit dd90b33
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 0 deletions.
17 changes: 17 additions & 0 deletions .github/workflows/image.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ jobs:
permissions:
contents: read
id-token: write
attestations: write
packages: write
strategy:
fail-fast: false
matrix:
Expand Down Expand Up @@ -96,6 +98,13 @@ jobs:
run: |
cosign sign -y quay.io/sustainable_computing_io/${{matrix.IMAGE_NAME}}:${{matrix.LABEL}}@${{ steps.build-push-image.outputs.digest }}
- name: Generate image attestation
uses: actions/attest-build-provenance@v1
with:
subject-name: quay.io/sustainable_computing_io/${{matrix.IMAGE_NAME}}
subject-digest: ${{ steps.build-push-image.outputs.digest }}
push-to-registry: true

- name: Generate SBOM
uses: anchore/[email protected]
with:
Expand All @@ -110,3 +119,11 @@ jobs:
name: sbom-${{matrix.IMAGE_NAME}}-${{matrix.LABEL}}.spdx.json
path: ./sbom-${{matrix.IMAGE_NAME}}-${{matrix.LABEL}}.spdx.json
retention-days: 1

- name: Generate SBOM attestation
uses: actions/attest-sbom@v1
with:
subject-name: quay.io/sustainable_computing_io/${{matrix.IMAGE_NAME}}
subject-digest: ${{ steps.build-push-image.outputs.digest }}
sbom-path: ./sbom-${{matrix.IMAGE_NAME}}-${{matrix.LABEL}}.spdx.json
push-to-registry: true
9 changes: 9 additions & 0 deletions .github/workflows/image_base.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ jobs:
permissions:
contents: read
id-token: write
attestations: write
packages: write
steps:
- name: Checkout
uses: actions/checkout@v4
Expand Down Expand Up @@ -48,3 +50,10 @@ jobs:
- name: Sign images with GitHub OIDC token
run: |
cosign sign -y quay.io/sustainable_computing_io/kepler_builder:ubi-9-libbpf-1.3.0@${{ steps.build-push-image.outputs.digest }}
- name: Generate image attestation
uses: actions/attest-build-provenance@v1
with:
subject-name: quay.io/sustainable_computing_io/kepler_builder
subject-digest: ${{ steps.build-push-image.outputs.digest }}
push-to-registry: ${{ inputs.pushImage }}

0 comments on commit dd90b33

Please sign in to comment.