Skip to content

feat: add SLSA provenance and attestations to all Docker build workflows #1670

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gugu merged 3 commits into from
Mar 17, 2026
Merged

feat: add SLSA provenance and attestations to all Docker build workflows #1670

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b5bcbfe
feat: add SLSA provenance and attestations to all Docker build workflows
gugu Mar 17, 2026
919d897
fix: compute merged manifest digest from raw bytes instead of Go temp…
gugu Mar 17, 2026
8ca38d5
chore: remove setup-qemu-action from build workflows
gugu Mar 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 20 additions & 4 deletions .github/workflows/build-agent.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,9 +67,6 @@ jobs:
name: bake-meta
path: /tmp

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

Expand All @@ -84,6 +81,7 @@ jobs:
uses: docker/bake-action@v5
with:
sbom: true
provenance: true
files: |
./docker-bake-agent.hcl
/tmp/bake-meta.json
Expand All @@ -108,14 +106,18 @@ jobs:
retention-days: 1

- name: Attest Build Provenance
uses: actions/attest-build-provenance@v1
uses: actions/attest-build-provenance@v2
with:
subject-digest: "${{ fromJSON(steps.bake.outputs.metadata).image['containerimage.digest'] }}"
push-to-registry: false
subject-name: ${{ env.REGISTRY_IMAGE }}

merge:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
attestations: write
needs:
- build
steps:
Expand Down Expand Up @@ -147,6 +149,20 @@ jobs:
docker buildx imagetools create $(jq -cr '.target."docker-metadata-action".tags | map(select(startswith("${{ env.REGISTRY_IMAGE }}")) | "-t " + .) | join(" ")' /tmp/bake-meta.json) \
$(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)

- name: Get merged manifest digest
id: manifest
run: |
TAG=$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' /tmp/bake-meta.json)
DIGEST="sha256:$(docker buildx imagetools inspect "${{ env.REGISTRY_IMAGE }}:${TAG}" --raw | sha256sum | cut -d ' ' -f1)"
echo "digest=${DIGEST}" >> $GITHUB_OUTPUT

- name: Attest Merged Manifest Provenance
uses: actions/attest-build-provenance@v2
with:
subject-digest: ${{ steps.manifest.outputs.digest }}
subject-name: ${{ env.REGISTRY_IMAGE }}
push-to-registry: false

- name: Inspect image
run: |
docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' /tmp/bake-meta.json)
26 changes: 21 additions & 5 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,9 +68,6 @@ jobs:
name: bake-meta
path: /tmp

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

Expand All @@ -85,6 +82,7 @@ jobs:
uses: docker/bake-action@v5
with:
sbom: true
provenance: true
files: |
./docker-bake.hcl
/tmp/bake-meta.json
Expand All @@ -109,14 +107,18 @@ jobs:
retention-days: 1

- name: Attest Build Provenance
uses: actions/attest-build-provenance@v1
uses: actions/attest-build-provenance@v2
with:
subject-digest: "${{ fromJSON(steps.bake.outputs.metadata).image['containerimage.digest'] }}"
push-to-registry: false
subject-name: ${{ env.REGISTRY_IMAGE }}
subject-name: ${{ env.REGISTRY_IMAGE }}

merge:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
attestations: write
Comment on lines +118 to +121
needs:
- build
steps:
Expand Down Expand Up @@ -148,6 +150,20 @@ jobs:
docker buildx imagetools create $(jq -cr '.target."docker-metadata-action".tags | map(select(startswith("${{ env.REGISTRY_IMAGE }}")) | "-t " + .) | join(" ")' /tmp/bake-meta.json) \
$(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)

- name: Get merged manifest digest
id: manifest
run: |
TAG=$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' /tmp/bake-meta.json)
DIGEST="sha256:$(docker buildx imagetools inspect "${{ env.REGISTRY_IMAGE }}:${TAG}" --raw | sha256sum | cut -d ' ' -f1)"
echo "digest=${DIGEST}" >> $GITHUB_OUTPUT

- name: Attest Merged Manifest Provenance
uses: actions/attest-build-provenance@v2
with:
subject-digest: ${{ steps.manifest.outputs.digest }}
subject-name: ${{ env.REGISTRY_IMAGE }}
push-to-registry: false

- name: Inspect image
run: |
docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' /tmp/bake-meta.json)
21 changes: 20 additions & 1 deletion .github/workflows/quay.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ jobs:
uses: docker/bake-action@v5
with:
sbom: true
provenance: true
files: |
./docker-bake.hcl
/tmp/bake-meta.json
Expand All @@ -116,14 +117,18 @@ jobs:
retention-days: 1

- name: Attest Build Provenance
uses: actions/attest-build-provenance@v1
uses: actions/attest-build-provenance@v2
with:
subject-digest: "${{ fromJSON(steps.bake.outputs.metadata).image['containerimage.digest'] }}"
push-to-registry: false
subject-name: ${{ env.REGISTRY_IMAGE }}

merge:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
attestations: write
Comment on lines +128 to +131
needs:
- build
steps:
Expand Down Expand Up @@ -156,6 +161,20 @@ jobs:
docker buildx imagetools create $(jq -cr '.target."docker-metadata-action".tags | map(select(startswith("${{ env.REGISTRY_IMAGE }}")) | "-t " + .) | join(" ")' /tmp/bake-meta.json) \
$(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)

- name: Get merged manifest digest
id: manifest
run: |
TAG=$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' /tmp/bake-meta.json)
DIGEST="sha256:$(docker buildx imagetools inspect "${{ env.REGISTRY_IMAGE }}:${TAG}" --raw | sha256sum | cut -d ' ' -f1)"
echo "digest=${DIGEST}" >> $GITHUB_OUTPUT

- name: Attest Merged Manifest Provenance
uses: actions/attest-build-provenance@v2
with:
subject-digest: ${{ steps.manifest.outputs.digest }}
subject-name: ${{ env.REGISTRY_IMAGE }}
push-to-registry: false

- name: Inspect image
run: |
docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' /tmp/bake-meta.json)
11 changes: 11 additions & 0 deletions .github/workflows/saas.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ jobs:
permissions:
contents: read
packages: write
attestations: write
# This is used to complete the identity challenge
# with sigstore/fulcio when running outside of PRs.
id-token: write
Expand Down Expand Up @@ -92,6 +93,16 @@ jobs:
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
sbom: true
provenance: true

- name: Attest Build Provenance
if: ${{ github.event_name != 'pull_request' }}
uses: actions/attest-build-provenance@v2
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ steps.build-and-push.outputs.digest }}
push-to-registry: true

# Sign the resulting Docker image digest except on PRs.
# This will only write to the public Rekor transparency log when the Docker
Expand Down
11 changes: 11 additions & 0 deletions .github/workflows/ws-server.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ jobs:
permissions:
contents: read
packages: write
attestations: write
# This is used to complete the identity challenge
# with sigstore/fulcio when running outside of PRs.
id-token: write
Expand Down Expand Up @@ -80,6 +81,16 @@ jobs:
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
sbom: true
provenance: true

- name: Attest Build Provenance
if: ${{ github.event_name != 'pull_request' }}
uses: actions/attest-build-provenance@v2
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ steps.build-and-push.outputs.digest }}
push-to-registry: true

# Sign the resulting Docker image digest except on PRs.
# This will only write to the public Rekor transparency log when the Docker
Expand Down
Loading