Closed cpanato closed 4 months ago
Add Provenance Attestation using GitHub Action and sigstore (https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/)
This adds the provenance attestation and push the attestation to the same registry as the image.
ghcr.io
Rehearsal: job: https://github.com/cpanato/dex/actions/runs/9252829376/job/25451249054
attestation: https://github.com/cpanato/dex/attestations/921641 and attestation image: ghcr.io/cpanato/dex@sha256:8e5d24d7a0f0fe95bbdf6722e1c724075d5d4c15cfa8d0ef4959f25103e12bac
ghcr.io/cpanato/dex@sha256:8e5d24d7a0f0fe95bbdf6722e1c724075d5d4c15cfa8d0ef4959f25103e12bac
to verify
$ gh attestation verify oci://ghcr.io/cpanato/dex@sha256:8e5d24d7a0f0fe95bbdf6722e1c724075d5d4c15cfa8d0ef4959f25103e12bac --owner cpanato Loaded digest sha256:8e5d24d7a0f0fe95bbdf6722e1c724075d5d4c15cfa8d0ef4959f25103e12bac for oci://ghcr.io/cpanato/dex@sha256:8e5d24d7a0f0fe95bbdf6722e1c724075d5d4c15cfa8d0ef4959f25103e12bac Loaded 1 attestation from GitHub API ✓ Verification succeeded! sha256:8e5d24d7a0f0fe95bbdf6722e1c724075d5d4c15cfa8d0ef4959f25103e12bac was attested by: REPO PREDICATE_TYPE WORKFLOW cpanato/dex https://slsa.dev/provenance/v1 .github/workflows/artifacts.yaml@refs/tags/v9.9.1
xref: https://github.com/dexidp/dex/issues/2865
cc @justaugustus @sagikazarmark
Thanks @cpanato !
Very nice; thanks @cpanato!
@sagikazarmark @justaugustus you can check the attestation for the main branch here: https://github.com/dexidp/dex/attestations/929115
Overview
Add Provenance Attestation using GitHub Action and sigstore (https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/)
What this PR does / why we need it
This adds the provenance attestation and push the attestation to the same registry as the image.
ghcr.io
and not to docker.ioRehearsal: job: https://github.com/cpanato/dex/actions/runs/9252829376/job/25451249054
attestation: https://github.com/cpanato/dex/attestations/921641 and attestation image:
ghcr.io/cpanato/dex@sha256:8e5d24d7a0f0fe95bbdf6722e1c724075d5d4c15cfa8d0ef4959f25103e12bac
to verify
xref: https://github.com/dexidp/dex/issues/2865
Special notes for your reviewer
cc @justaugustus @sagikazarmark