Skip to content

Commit

Permalink
Add Github Attestations support
Browse files Browse the repository at this point in the history
  • Loading branch information
@dfunkt
dfunkt committed May 4, 2024
1 parent 15e35f4 commit adbf3f4
Show file tree
Hide file tree
Showing 4 changed files with 27 additions and 0 deletions.
24 changes: 24 additions & 0 deletions .github/workflows/build-and-push.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ jobs:
permissions:
contents: read
packages: write
id-token: write
attestations: write

steps:
- name: Checkout repository
Expand Down Expand Up @@ -49,6 +51,7 @@ jobs:
- name: Bake ${{ matrix.base_image }} containers
uses: docker/bake-action@v4
id: build
env:
BASE_TAGS: "${{ env.BASE_TAGS }}"
CONTAINER_REGISTRIES: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
Expand All @@ -57,9 +60,30 @@ jobs:
VW_VERSION: ${{ github.sha }}
with:
push: true
sbom: true
files: docker/docker-bake.hcl
targets: ${{ matrix.base_image }}-multi
set: |
*.platform=linux/amd64,linux/arm64
*.cache-from=type=gha
*.cache-to=type=gha,mode=max
- name: Extract digest SHA
run: |
GET_DIGEST_SHA="$(echo '${{ steps.build.outputs.metadata }}' | jq -r '.["${{ matrix.base_image }}-multi"]."containerimage.digest"')"
echo "DIGEST_SHA=${GET_DIGEST_SHA}" | tee -a "${GITHUB_ENV}"
- name: Generate build provenance attestation
uses: actions/attest-build-provenance@v1
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ env.DIGEST_SHA }}
push-to-registry: true

- name: Generate SBOM attestation
uses: actions/attest-sbom@v1
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ env.DIGEST_SHA }}
sbom-path: 'sbom.spdx.json'
push-to-registry: true
1 change: 1 addition & 0 deletions docker/Dockerfile.alpine
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.78.
########################## BUILD IMAGE ##########################
# hadolint ignore=DL3006
FROM --platform=linux/amd64 build_${TARGETARCH}${TARGETVARIANT} as build
ARG BUILDKIT_SBOM_SCAN_STAGE=true
ARG TARGETARCH
ARG TARGETVARIANT
ARG TARGETPLATFORM
Expand Down
1 change: 1 addition & 0 deletions docker/Dockerfile.debian
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ FROM --platform=linux/amd64 docker.io/tonistiigi/xx@sha256:0cd3f05c72d6c9b038eb1
# hadolint ignore=DL3006
FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.78.0-slim-bookworm as build
COPY --from=xx / /
ARG BUILDKIT_SBOM_SCAN_STAGE=true
ARG TARGETARCH
ARG TARGETVARIANT
ARG TARGETPLATFORM
Expand Down
1 change: 1 addition & 0 deletions docker/Dockerfile.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ FROM --platform={{ build_stage_image[base].platform }} {{ build_stage_image[base
{% if base == "debian" %}
COPY --from=xx / /
{% endif %}
ARG BUILDKIT_SBOM_SCAN_STAGE=true
ARG TARGETARCH
ARG TARGETVARIANT
ARG TARGETPLATFORM
Expand Down

0 comments on commit adbf3f4

Please sign in to comment.