Test attestation

.github/workflows/images_build.yml

@@ -30,6 +30,7 @@ env:
  TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }}
  AUTO_PUSH_IMAGES: ${{ ! contains(fromJSON('["workflow_dispatch"]'), github.event_name) && vars.AUTO_PUSH_IMAGES }}
 
+ DOCKER_REGISTRY: ${{ vars.DOCKER_REGISTRY }}
  DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }}
  LATEST_BRANCH: ${{ github.event.repository.default_branch }}
  TRUNK_GIT_BRANCH: "refs/heads/trunk"
@@ -170,7 +171,8 @@ jobs:
  permissions:
  contents: read
  id-token: write
- packages: write
+ packages: ${{ env.AUTO_PUSH_IMAGES != 'true' && 'write' || 'none' }}
+ attestations: write
  steps:
  - name: Block egress traffic
  uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
@@ -268,16 +270,6 @@ jobs:
  ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
  fetch-depth: 1
 
- - name: Install cosign
- if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
- uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
- with:
- cosign-release: 'v2.2.3'
-
- - name: Check cosign version
- if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
- run: cosign version
-
  - name: Set up QEMU
  uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
  with:
@@ -310,7 +302,7 @@ jobs:
  with:
  images: |
  ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
- ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
+ ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
  context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
  tags: |
  type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
@@ -387,25 +379,14 @@ jobs:
  cache-from: ${{ steps.cache_data.outputs.cache_from }}
  cache-to: ${{ steps.cache_data.outputs.cache_to }}
 
- - name: Sign the images with GitHub OIDC Token
+ - name: Attest images
  if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
- env:
- DIGEST: ${{ steps.docker_build.outputs.digest }}
- TAGS: ${{ steps.meta.outputs.tags }}
- run: |
- images=""
- for tag in ${TAGS}; do
- images+="${tag}@${DIGEST} "
- done
-
- echo "::group::Images to sign"
- echo "$images"
- echo "::endgroup::"
-
- echo "::group::Signing"
- echo "cosign sign --yes $images"
- cosign sign --yes ${images}
- echo "::endgroup::"
+ id: attest
+ uses: actions/attest-build-provenance@v1
+ with:
+ subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }}
+ subject-digest: ${{ steps.docker_build.outputs.digest }}
+ push-to-registry: true
 
  - name: Image metadata
  env:
@@ -440,7 +421,8 @@ jobs:
  permissions:
  contents: read
  id-token: write
- packages: write
+ packages: ${{ env.AUTO_PUSH_IMAGES != 'true' && 'write' || 'none' }}
+ attestations: write
  steps:
  - name: Block egress traffic
  uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
@@ -520,7 +502,7 @@ jobs:
  with:
  images: |
  ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
- ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
+ ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
  context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
  tags: |
  type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
@@ -570,7 +552,7 @@ jobs:
  cosign verify \
  --certificate-oidc-issuer-regexp "$OIDC_ISSUER" \
  --certificate-identity-regexp "$IDENTITY_REGEX" \
- "$BASE_IMAGE"
+ "$BASE_IMAGE" | jq
  echo "::endgroup::"
 
  - name: Prepare cache data
@@ -639,25 +621,14 @@ jobs:
  org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
  org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
 
- - name: Sign the images with GitHub OIDC Token
+ - name: Attest images
  if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
- env:
- DIGEST: ${{ steps.docker_build.outputs.digest }}
- TAGS: ${{ steps.meta.outputs.tags }}
- run: |
- images=""
- for tag in ${TAGS}; do
- images+="${tag}@${DIGEST} "
- done
-
- echo "::group::Images to sign"
- echo "$images"
- echo "::endgroup::"
-
- echo "::group::Signing"
- echo "cosign sign --yes $images"
- cosign sign --yes ${images}
- echo "::endgroup::"
+ id: attest
+ uses: actions/attest-build-provenance@v1
+ with:
+ subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }}
+ subject-digest: ${{ steps.docker_build.outputs.digest }}
+ push-to-registry: true
 
  - name: Image metadata
  env:
@@ -693,7 +664,8 @@ jobs:
  permissions:
  contents: read
  id-token: write
- packages: write
+ packages: ${{ env.AUTO_PUSH_IMAGES != 'true' && 'write' || 'none' }}
+ attestations: write
  steps:
  - name: Block egress traffic
  uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
@@ -894,7 +866,7 @@ jobs:
  with:
  images: |
  ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
- ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
+ ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
  context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
  tags: |
  type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
@@ -946,7 +918,7 @@ jobs:
  cosign verify \
  --certificate-oidc-issuer-regexp "${OIDC_ISSUER}" \
  --certificate-identity-regexp "${IDENTITY_REGEX}" \
- "${BASE_IMAGE}"
+ "${BASE_IMAGE}" | jq
  echo "::endgroup::"
 
  - name: Prepare cache data
@@ -993,25 +965,14 @@ jobs:
  org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
  org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
 
- - name: Sign the images with GitHub OIDC Token
+ - name: Attest images
  if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
- env:
- DIGEST: ${{ steps.docker_build.outputs.digest }}
- TAGS: ${{ steps.meta.outputs.tags }}
- run: |
- images=""
- for tag in ${TAGS}; do
- images+="${tag}@${DIGEST} "
- done
-
- echo "::group::Images to sign"
- echo "$images"
- echo "::endgroup::"
-
- echo "::group::Signing"
- echo "cosign sign --yes $images"
- cosign sign --yes ${images}
- echo "::endgroup::"
+ id: attest
+ uses: actions/attest-build-provenance@v1
+ with:
+ subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }}
+ subject-digest: ${{ steps.docker_build.outputs.digest }}
+ push-to-registry: true
 
  - name: Image metadata
  if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}