Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docs on how to verify uv docker image attestations #11140

Merged
merged 1 commit into from
Feb 4, 2025
Merged

Docs on how to verify uv docker image attestations #11140

merged 1 commit into from
Feb 4, 2025
+56 −0

Conversation

mjpieters
Copy link
Contributor

@mjpieters mjpieters commented Jan 31, 2025
edited
Loading

@mjpieters mjpieters force-pushed the doc-docker-attestations branch from 960d431 to 4dec21b Compare January 31, 2025 19:12
@mjpieters mjpieters mentioned this pull request Jan 31, 2025
Merged
@zanieb zanieb self-assigned this Jan 31, 2025
@zanieb
Copy link
Member

zanieb commented Feb 3, 2025

https://github.com/astral-sh/uv/releases/tag/0.5.27 should have the attestations

@mjpieters
Copy link
Contributor Author

Indeed, here they all are: https://github.com/astral-sh/uv/attestations

and they check out too:

% gh attestation verify --owner astral-sh oci://ghcr.io/astral-sh/uv:0.5.27
Loaded digest sha256:5adf09a5a526f380237408032a9308000d14d5947eafa687ad6c6a2476787b4f for oci://ghcr.io/astral-sh/uv:0.5.27
Loaded 1 attestation from GitHub API

The following policy criteria will be enforced:
- OIDC Issuer must match:................... https://token.actions.githubusercontent.com
- Source Repository Owner URI must match:... https://github.com/astral-sh
- Predicate type must match:................ https://slsa.dev/provenance/v1
- Subject Alternative Name must match regex: (?i)^https://github.com/astral-sh/

✓ Verification succeeded!

sha256:5adf09a5a526f380237408032a9308000d14d5947eafa687ad6c6a2476787b4f was attested by:
REPO          PREDICATE_TYPE                  WORKFLOW
astral-sh/uv  https://slsa.dev/provenance/v1  .github/workflows/build-docker.yml@refs/heads/main

I'll update the examples now.

@mjpieters mjpieters force-pushed the doc-docker-attestations branch from 4dec21b to 40b20e5 Compare February 4, 2025 16:20
@mjpieters mjpieters requested a review from samypr100 February 4, 2025 16:20
@mjpieters
Copy link
Contributor Author

As far as I am concerned I think this is ready to merge now.

@zanieb zanieb merged commit 04374b0 into astral-sh:main Feb 4, 2025
61 checks passed
@zanieb zanieb added the documentation Improvements or additions to documentation label Feb 4, 2025
@zanieb
Copy link
Member

zanieb commented Feb 4, 2025

Thanks again!

@mjpieters mjpieters deleted the doc-docker-attestations branch February 4, 2025 23:01
@BrewTestBot BrewTestBot mentioned this pull request Feb 5, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zanieb zanieb zanieb approved these changes

@samypr100 samypr100 Awaiting requested review from samypr100

Assignees

@zanieb zanieb

Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mjpieters @zanieb @samypr100