From dc5a1d9e0be146571823e9236f0ad21917b57dd2 Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Wed, 21 Jun 2023 15:46:10 +0300 Subject: [PATCH] Generate provenance for container images Signed-off-by: Stefan Prodan --- .github/workflows/release.yaml | 38 +++++++++++++++++++++++++++++++++- .goreleaser.yaml | 8 +++---- 2 files changed, 40 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index f5fa24a..3b38fa0 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -21,6 +21,8 @@ jobs: release: outputs: hashes: ${{ steps.hash.outputs.hashes }} + image_url: ${{ steps.hash.outputs.image_url }} + image_digest: ${{ steps.hash.outputs.image_digest }} runs-on: ubuntu-latest permissions: contents: write # needed to write releases @@ -72,6 +74,7 @@ jobs: type=raw,value=${{ steps.prep.outputs.version }} - name: Docker push uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 + id: build-push with: sbom: true provenance: true @@ -106,8 +109,13 @@ jobs: hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0) echo "hashes=$hashes" >> $GITHUB_OUTPUT + + image_url=fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }} + image_digest=${{ steps.build-push.outputs.digest }} + echo "image_url=$image_url" >> $GITHUB_OUTPUT + echo "image_digest=$image_digest" >> $GITHUB_OUTPUT - provenance: + release-provenance: needs: [release] permissions: actions: read # To read the workflow path. @@ -117,3 +125,31 @@ jobs: with: base64-subjects: "${{ needs.release.outputs.hashes }}" upload-assets: true + + dockerhub-provenance: + needs: [release] + permissions: + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to the release. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.7.0 + with: + image: ${{ needs.release.outputs.image_url }} + digest: ${{ needs.release.outputs.image_digest }} + registry-username: fluxcdbot + secrets: + registry-password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }} + + ghcr-provenance: + needs: [release] + permissions: + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to the release. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.7.0 + with: + image: ghcr.io/${{ needs.release.outputs.image_url }} + digest: ${{ needs.release.outputs.image_digest }} + registry-username: fluxcdbot + secrets: + registry-password: ${{ secrets.GHCR_TOKEN }} \ No newline at end of file diff --git a/.goreleaser.yaml b/.goreleaser.yaml index be079fb..3087ed3 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -6,13 +6,11 @@ builds: release: prerelease: auto footer: | - ## Signed images + ## Container images - Verify and pull the container image: - ``` - cosign verify ghcr.io/fluxcd/{{.ProjectName}}:{{.Tag}} - docker pull ghcr.io/fluxcd/{{.ProjectName}}:{{.Tag}} + docker.io/fluxcd/{{.ProjectName}}:{{.Tag}} + ghcr.io/fluxcd/{{.ProjectName}}:{{.Tag}} ``` Supported architectures: `linux/amd64`, `linux/arm64` and `linux/arm/v7`.