diff --git a/.github/workflows/build-agent.yml b/.github/workflows/build-agent.yml index 75222bdfa..13437a8d5 100644 --- a/.github/workflows/build-agent.yml +++ b/.github/workflows/build-agent.yml @@ -67,9 +67,6 @@ jobs: name: bake-meta path: /tmp - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -84,6 +81,7 @@ jobs: uses: docker/bake-action@v5 with: sbom: true + provenance: true files: | ./docker-bake-agent.hcl /tmp/bake-meta.json @@ -108,7 +106,7 @@ jobs: retention-days: 1 - name: Attest Build Provenance - uses: actions/attest-build-provenance@v1 + uses: actions/attest-build-provenance@v2 with: subject-digest: "${{ fromJSON(steps.bake.outputs.metadata).image['containerimage.digest'] }}" push-to-registry: false @@ -116,6 +114,10 @@ jobs: merge: runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + attestations: write needs: - build steps: @@ -147,6 +149,20 @@ jobs: docker buildx imagetools create $(jq -cr '.target."docker-metadata-action".tags | map(select(startswith("${{ env.REGISTRY_IMAGE }}")) | "-t " + .) | join(" ")' /tmp/bake-meta.json) \ $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) + - name: Get merged manifest digest + id: manifest + run: | + TAG=$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' /tmp/bake-meta.json) + DIGEST="sha256:$(docker buildx imagetools inspect "${{ env.REGISTRY_IMAGE }}:${TAG}" --raw | sha256sum | cut -d ' ' -f1)" + echo "digest=${DIGEST}" >> $GITHUB_OUTPUT + + - name: Attest Merged Manifest Provenance + uses: actions/attest-build-provenance@v2 + with: + subject-digest: ${{ steps.manifest.outputs.digest }} + subject-name: ${{ env.REGISTRY_IMAGE }} + push-to-registry: false + - name: Inspect image run: | docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' /tmp/bake-meta.json) \ No newline at end of file diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0f4f2f243..77aad45db 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -68,9 +68,6 @@ jobs: name: bake-meta path: /tmp - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -85,6 +82,7 @@ jobs: uses: docker/bake-action@v5 with: sbom: true + provenance: true files: | ./docker-bake.hcl /tmp/bake-meta.json @@ -109,14 +107,18 @@ jobs: retention-days: 1 - name: Attest Build Provenance - uses: actions/attest-build-provenance@v1 + uses: actions/attest-build-provenance@v2 with: subject-digest: "${{ fromJSON(steps.bake.outputs.metadata).image['containerimage.digest'] }}" push-to-registry: false - subject-name: ${{ env.REGISTRY_IMAGE }} + subject-name: ${{ env.REGISTRY_IMAGE }} merge: runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + attestations: write needs: - build steps: @@ -148,6 +150,20 @@ jobs: docker buildx imagetools create $(jq -cr '.target."docker-metadata-action".tags | map(select(startswith("${{ env.REGISTRY_IMAGE }}")) | "-t " + .) | join(" ")' /tmp/bake-meta.json) \ $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) + - name: Get merged manifest digest + id: manifest + run: | + TAG=$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' /tmp/bake-meta.json) + DIGEST="sha256:$(docker buildx imagetools inspect "${{ env.REGISTRY_IMAGE }}:${TAG}" --raw | sha256sum | cut -d ' ' -f1)" + echo "digest=${DIGEST}" >> $GITHUB_OUTPUT + + - name: Attest Merged Manifest Provenance + uses: actions/attest-build-provenance@v2 + with: + subject-digest: ${{ steps.manifest.outputs.digest }} + subject-name: ${{ env.REGISTRY_IMAGE }} + push-to-registry: false + - name: Inspect image run: | docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' /tmp/bake-meta.json) diff --git a/.github/workflows/quay.yml b/.github/workflows/quay.yml index 7fba6ed55..ccad59efe 100644 --- a/.github/workflows/quay.yml +++ b/.github/workflows/quay.yml @@ -92,6 +92,7 @@ jobs: uses: docker/bake-action@v5 with: sbom: true + provenance: true files: | ./docker-bake.hcl /tmp/bake-meta.json @@ -116,7 +117,7 @@ jobs: retention-days: 1 - name: Attest Build Provenance - uses: actions/attest-build-provenance@v1 + uses: actions/attest-build-provenance@v2 with: subject-digest: "${{ fromJSON(steps.bake.outputs.metadata).image['containerimage.digest'] }}" push-to-registry: false @@ -124,6 +125,10 @@ jobs: merge: runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + attestations: write needs: - build steps: @@ -156,6 +161,20 @@ jobs: docker buildx imagetools create $(jq -cr '.target."docker-metadata-action".tags | map(select(startswith("${{ env.REGISTRY_IMAGE }}")) | "-t " + .) | join(" ")' /tmp/bake-meta.json) \ $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) + - name: Get merged manifest digest + id: manifest + run: | + TAG=$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' /tmp/bake-meta.json) + DIGEST="sha256:$(docker buildx imagetools inspect "${{ env.REGISTRY_IMAGE }}:${TAG}" --raw | sha256sum | cut -d ' ' -f1)" + echo "digest=${DIGEST}" >> $GITHUB_OUTPUT + + - name: Attest Merged Manifest Provenance + uses: actions/attest-build-provenance@v2 + with: + subject-digest: ${{ steps.manifest.outputs.digest }} + subject-name: ${{ env.REGISTRY_IMAGE }} + push-to-registry: false + - name: Inspect image run: | docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' /tmp/bake-meta.json) diff --git a/.github/workflows/saas.yml b/.github/workflows/saas.yml index 0b7a45ef7..1f771e256 100644 --- a/.github/workflows/saas.yml +++ b/.github/workflows/saas.yml @@ -27,6 +27,7 @@ jobs: permissions: contents: read packages: write + attestations: write # This is used to complete the identity challenge # with sigstore/fulcio when running outside of PRs. id-token: write @@ -92,6 +93,16 @@ jobs: labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max + sbom: true + provenance: true + + - name: Attest Build Provenance + if: ${{ github.event_name != 'pull_request' }} + uses: actions/attest-build-provenance@v2 + with: + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + subject-digest: ${{ steps.build-and-push.outputs.digest }} + push-to-registry: true # Sign the resulting Docker image digest except on PRs. # This will only write to the public Rekor transparency log when the Docker diff --git a/.github/workflows/ws-server.yml b/.github/workflows/ws-server.yml index a18c66c90..975c309ff 100644 --- a/.github/workflows/ws-server.yml +++ b/.github/workflows/ws-server.yml @@ -27,6 +27,7 @@ jobs: permissions: contents: read packages: write + attestations: write # This is used to complete the identity challenge # with sigstore/fulcio when running outside of PRs. id-token: write @@ -80,6 +81,16 @@ jobs: labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max + sbom: true + provenance: true + + - name: Attest Build Provenance + if: ${{ github.event_name != 'pull_request' }} + uses: actions/attest-build-provenance@v2 + with: + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + subject-digest: ${{ steps.build-and-push.outputs.digest }} + push-to-registry: true # Sign the resulting Docker image digest except on PRs. # This will only write to the public Rekor transparency log when the Docker