Skip to content

Commit dd33be7

Browse files
committed
feat: generate SLSA provenance
1 parent 560cc6c commit dd33be7

1 file changed

Lines changed: 42 additions & 0 deletions

File tree

.github/workflows/build_push_dev.yml

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,8 @@ jobs:
1616
packages: write
1717
attestations: write
1818
id-token: write
19+
outputs:
20+
digest: ${{ steps.build-and-push-backend.outputs.digest }}
1921
steps:
2022
-
2123
name: Checkout
@@ -50,6 +52,9 @@ jobs:
5052
file: ./docker/backend/prod/django/Dockerfile
5153
platforms: linux/amd64
5254
push: true
55+
# Disable buildkit attestations so the pushed reference is the image
56+
# manifest digest (not an index), which the SLSA generator requires.
57+
provenance: false
5358
tags: oci.stackable.tech/stackable/secobserve-backend:dev
5459
build-args: |
5560
CREATED=${{ env.CREATED }}
@@ -59,13 +64,31 @@ jobs:
5964
name: Sign the published backend image
6065
run: cosign sign -y oci.stackable.tech/stackable/secobserve-backend@${{ steps.build-and-push-backend.outputs.digest }}
6166

67+
provenance_backend_dev:
68+
needs: [docker_backend_dev]
69+
permissions:
70+
actions: read # detect the build workflow that generated the image
71+
id-token: write # mint the OIDC token for keyless signing
72+
packages: write # needed until https://github.com/slsa-framework/slsa-github-generator/issues/1257 is resolved
73+
# MUST be referenced by a @vX.Y.Z tag (not a SHA), otherwise the
74+
# reusable workflow cannot verify its own provenance.
75+
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
76+
with:
77+
image: oci.stackable.tech/stackable/secobserve-backend
78+
digest: ${{ needs.docker_backend_dev.outputs.digest }}
79+
registry-username: robot$stackable+github-action-build
80+
secrets:
81+
registry-password: ${{ secrets.HARBOR_ROBOT_STACKABLE_GITHUB_ACTION_BUILD_SECRET }}
82+
6283
docker_frontend_dev:
6384
runs-on: ubuntu-latest
6485
permissions:
6586
contents: read
6687
packages: write
6788
attestations: write
6889
id-token: write
90+
outputs:
91+
digest: ${{ steps.build-and-push-frontend.outputs.digest }}
6992
steps:
7093
-
7194
name: Checkout
@@ -99,6 +122,9 @@ jobs:
99122
file: ./docker/frontend/prod/Dockerfile
100123
platforms: linux/amd64
101124
push: true
125+
# Disable buildkit attestations so the pushed reference is the image
126+
# manifest digest (not an index), which the SLSA generator requires.
127+
provenance: false
102128
tags: oci.stackable.tech/stackable/secobserve-frontend:dev
103129
build-args: |
104130
CREATED=${{ env.CREATED }}
@@ -107,3 +133,19 @@ jobs:
107133
-
108134
name: Sign the published frontend image
109135
run: cosign sign -y oci.stackable.tech/stackable/secobserve-frontend@${{ steps.build-and-push-frontend.outputs.digest }}
136+
137+
provenance_frontend_dev:
138+
needs: [docker_frontend_dev]
139+
permissions:
140+
actions: read # detect the build workflow that generated the image
141+
id-token: write # mint the OIDC token for keyless signing
142+
packages: write # needed until https://github.com/slsa-framework/slsa-github-generator/issues/1257 is resolved
143+
# MUST be referenced by a @vX.Y.Z tag (not a SHA), otherwise the
144+
# reusable workflow cannot verify its own provenance.
145+
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
146+
with:
147+
image: oci.stackable.tech/stackable/secobserve-frontend
148+
digest: ${{ needs.docker_frontend_dev.outputs.digest }}
149+
registry-username: robot$stackable+github-action-build
150+
secrets:
151+
registry-password: ${{ secrets.HARBOR_ROBOT_STACKABLE_GITHUB_ACTION_BUILD_SECRET }}

0 commit comments

Comments
 (0)