1616 packages : write
1717 attestations : write
1818 id-token : write
19+ outputs :
20+ digest : ${{ steps.build-and-push-backend.outputs.digest }}
1921 steps :
2022 -
2123 name : Checkout
5052 file : ./docker/backend/prod/django/Dockerfile
5153 platforms : linux/amd64
5254 push : true
55+ # Disable buildkit attestations so the pushed reference is the image
56+ # manifest digest (not an index), which the SLSA generator requires.
57+ provenance : false
5358 tags : oci.stackable.tech/stackable/secobserve-backend:dev
5459 build-args : |
5560 CREATED=${{ env.CREATED }}
@@ -59,13 +64,31 @@ jobs:
5964 name : Sign the published backend image
6065 run : cosign sign -y oci.stackable.tech/stackable/secobserve-backend@${{ steps.build-and-push-backend.outputs.digest }}
6166
67+ provenance_backend_dev :
68+ needs : [docker_backend_dev]
69+ permissions :
70+ actions : read # detect the build workflow that generated the image
71+ id-token : write # mint the OIDC token for keyless signing
72+ packages : write # needed until https://github.com/slsa-framework/slsa-github-generator/issues/1257 is resolved
73+ # MUST be referenced by a @vX.Y.Z tag (not a SHA), otherwise the
74+ # reusable workflow cannot verify its own provenance.
75+ uses : slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
76+ with :
77+ image : oci.stackable.tech/stackable/secobserve-backend
78+ digest : ${{ needs.docker_backend_dev.outputs.digest }}
79+ registry-username : robot$stackable+github-action-build
80+ secrets :
81+ registry-password : ${{ secrets.HARBOR_ROBOT_STACKABLE_GITHUB_ACTION_BUILD_SECRET }}
82+
6283 docker_frontend_dev :
6384 runs-on : ubuntu-latest
6485 permissions :
6586 contents : read
6687 packages : write
6788 attestations : write
6889 id-token : write
90+ outputs :
91+ digest : ${{ steps.build-and-push-frontend.outputs.digest }}
6992 steps :
7093 -
7194 name : Checkout
99122 file : ./docker/frontend/prod/Dockerfile
100123 platforms : linux/amd64
101124 push : true
125+ # Disable buildkit attestations so the pushed reference is the image
126+ # manifest digest (not an index), which the SLSA generator requires.
127+ provenance : false
102128 tags : oci.stackable.tech/stackable/secobserve-frontend:dev
103129 build-args : |
104130 CREATED=${{ env.CREATED }}
@@ -107,3 +133,19 @@ jobs:
107133 -
108134 name : Sign the published frontend image
109135 run : cosign sign -y oci.stackable.tech/stackable/secobserve-frontend@${{ steps.build-and-push-frontend.outputs.digest }}
136+
137+ provenance_frontend_dev :
138+ needs : [docker_frontend_dev]
139+ permissions :
140+ actions : read # detect the build workflow that generated the image
141+ id-token : write # mint the OIDC token for keyless signing
142+ packages : write # needed until https://github.com/slsa-framework/slsa-github-generator/issues/1257 is resolved
143+ # MUST be referenced by a @vX.Y.Z tag (not a SHA), otherwise the
144+ # reusable workflow cannot verify its own provenance.
145+ uses : slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
146+ with :
147+ image : oci.stackable.tech/stackable/secobserve-frontend
148+ digest : ${{ needs.docker_frontend_dev.outputs.digest }}
149+ registry-username : robot$stackable+github-action-build
150+ secrets :
151+ registry-password : ${{ secrets.HARBOR_ROBOT_STACKABLE_GITHUB_ACTION_BUILD_SECRET }}
0 commit comments