Revert GH attestation workflow

.github/workflows/images_build.yml

@@ -30,7 +30,6 @@ env:
  TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }}
  AUTO_PUSH_IMAGES: ${{ ! contains(fromJSON('["workflow_dispatch"]'), github.event_name) && vars.AUTO_PUSH_IMAGES }}
 
- DOCKER_REGISTRY: ${{ vars.DOCKER_REGISTRY }}
  DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }}
  LATEST_BRANCH: ${{ github.event.repository.default_branch }}
  TRUNK_GIT_BRANCH: "refs/heads/trunk"
@@ -172,7 +171,6 @@ jobs:
  contents: read
  id-token: write
  packages: write
- attestations: write
  steps:
  - name: Block egress traffic
  uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
@@ -270,6 +268,16 @@ jobs:
  ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
  fetch-depth: 1
 
+ - name: Install cosign
+ if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
+ uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
+ with:
+ cosign-release: 'v2.2.3'
+
+ - name: Check cosign version
+ if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
+ run: cosign version
+
  - name: Set up QEMU
  uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
  with:
@@ -302,7 +310,7 @@ jobs:
  with:
  images: |
  ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
- ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
+ ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
  context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
  tags: |
  type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
@@ -379,14 +387,25 @@ jobs:
  cache-from: ${{ steps.cache_data.outputs.cache_from }}
  cache-to: ${{ steps.cache_data.outputs.cache_to }}
 
- - name: Attest images
+ - name: Sign the images with GitHub OIDC Token
  if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
- id: attest
- uses: actions/attest-build-provenance@v1
- with:
- subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }}
- subject-digest: ${{ steps.docker_build.outputs.digest }}
- push-to-registry: true
+ env:
+ DIGEST: ${{ steps.docker_build.outputs.digest }}
+ TAGS: ${{ steps.meta.outputs.tags }}
+ run: |
+ images=""
+ for tag in ${TAGS}; do
+ images+="${tag}@${DIGEST} "
+ done
+
+ echo "::group::Images to sign"
+ echo "$images"
+ echo "::endgroup::"
+
+ echo "::group::Signing"
+ echo "cosign sign --yes $images"
+ cosign sign --yes ${images}
+ echo "::endgroup::"
 
  - name: Image metadata
  env:
@@ -422,7 +441,6 @@ jobs:
  contents: read
  id-token: write
  packages: write
- attestations: write
  steps:
  - name: Block egress traffic
  uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
@@ -460,6 +478,16 @@ jobs:
  ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
  fetch-depth: 1
 
+ - name: Install cosign
+ if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
+ uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
+ with:
+ cosign-release: 'v2.2.3'
+
+ - name: Check cosign version
+ if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
+ run: cosign version
+
  - name: Set up QEMU
  uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
  with:
@@ -492,7 +520,7 @@ jobs:
  with:
  images: |
  ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
- ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
+ ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
  context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
  tags: |
  type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
@@ -525,20 +553,24 @@ jobs:
 
  echo "base_build_image=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_OUTPUT
 
- - name: Verify ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} attestation
+ - name: Verify ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} cosign
  if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
  env:
  BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }}
- REPOSITORY: ${{ github.repository }}
- DOCKER_REGISTRY: ${{ env.DOCKER_REGISTRY }}
- GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ OIDC_ISSUER: ${{ env.OIDC_ISSUER }}
+ IDENTITY_REGEX: ${{ env.IDENTITY_REGEX }}
  run: |
  echo "::group::Image sign data"
+ echo "OIDC issuer=$OIDC_ISSUER"
+ echo "Identity=$IDENTITY_REGEX"
  echo "Image to verify=$BASE_IMAGE"
  echo "::endgroup::"
 
  echo "::group::Verify signature"
- gh attestation verify oci://$DOCKER_REGISTRY/$BASE_IMAGE -R $REPOSITORY
+ cosign verify \
+ --certificate-oidc-issuer-regexp "$OIDC_ISSUER" \
+ --certificate-identity-regexp "$IDENTITY_REGEX" \
+ "$BASE_IMAGE"
  echo "::endgroup::"
 
  - name: Prepare cache data
@@ -607,14 +639,25 @@ jobs:
  org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
  org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
 
- - name: Attest images
+ - name: Sign the images with GitHub OIDC Token
  if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
- id: attest
- uses: actions/attest-build-provenance@v1
- with:
- subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }}
- subject-digest: ${{ steps.docker_build.outputs.digest }}
- push-to-registry: true
+ env:
+ DIGEST: ${{ steps.docker_build.outputs.digest }}
+ TAGS: ${{ steps.meta.outputs.tags }}
+ run: |
+ images=""
+ for tag in ${TAGS}; do
+ images+="${tag}@${DIGEST} "
+ done
+
+ echo "::group::Images to sign"
+ echo "$images"
+ echo "::endgroup::"
+
+ echo "::group::Signing"
+ echo "cosign sign --yes $images"
+ cosign sign --yes ${images}
+ echo "::endgroup::"
 
  - name: Image metadata
  env:
@@ -651,7 +694,6 @@ jobs:
  contents: read
  id-token: write
  packages: write
- attestations: write
  steps:
  - name: Block egress traffic
  uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
@@ -781,6 +823,22 @@ jobs:
  ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
  fetch-depth: 1
 
+ - name: Install cosign
+ if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
+ uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
+ with:
+ cosign-release: 'v2.2.3'
+
+ - name: Check cosign version
+ if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
+ run: cosign version
+
+ - name: Set up QEMU
+ uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+ with:
+ image: tonistiigi/binfmt:latest
+ platforms: all
+
  - name: Set up Docker Buildx
  uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
  with:
@@ -836,7 +894,7 @@ jobs:
  with:
  images: |
  ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
- ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
+ ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
  context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
  tags: |
  type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
@@ -871,6 +929,26 @@ jobs:
 
  echo "base_build_image=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_OUTPUT
 
+ - name: Verify ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} cosign
+ if: ${{ matrix.build != 'snmptraps' && env.AUTO_PUSH_IMAGES == 'true' }}
+ env:
+ BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }}
+ OIDC_ISSUER: ${{ env.OIDC_ISSUER }}
+ IDENTITY_REGEX: ${{ env.IDENTITY_REGEX }}
+ run: |
+ echo "::group::Image sign data"
+ echo "OIDC issuer=${OIDC_ISSUER}"
+ echo "Identity=${IDENTITY_REGEX}"
+ echo "Image to verify=${BASE_IMAGE}"
+ echo "::endgroup::"
+
+ echo "::group::Verify signature"
+ cosign verify \
+ --certificate-oidc-issuer-regexp "${OIDC_ISSUER}" \
+ --certificate-identity-regexp "${IDENTITY_REGEX}" \
+ "${BASE_IMAGE}"
+ echo "::endgroup::"
+
  - name: Prepare cache data
  if: ${{ matrix.build != 'snmptraps' }}
  id: cache_data
@@ -915,14 +993,25 @@ jobs:
  org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
  org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
 
- - name: Attest images
+ - name: Sign the images with GitHub OIDC Token
  if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
- id: attest
- uses: actions/attest-build-provenance@v1
- with:
- subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }}
- subject-digest: ${{ steps.docker_build.outputs.digest }}
- push-to-registry: true
+ env:
+ DIGEST: ${{ steps.docker_build.outputs.digest }}
+ TAGS: ${{ steps.meta.outputs.tags }}
+ run: |
+ images=""
+ for tag in ${TAGS}; do
+ images+="${tag}@${DIGEST} "
+ done
+
+ echo "::group::Images to sign"
+ echo "$images"
+ echo "::endgroup::"
+
+ echo "::group::Signing"
+ echo "cosign sign --yes $images"
+ cosign sign --yes ${images}
+ echo "::endgroup::"
 
  - name: Image metadata
  if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}