search

dexidp / dex

OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors
https://dexidp.io
Apache License 2.0
9.41k stars 1.69k forks source link

introduce Provenance Attestation #3548

Closed cpanato closed 4 months ago

cpanato commented 4 months ago

Overview

Add Provenance Attestation using GitHub Action and sigstore (https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/)

What this PR does / why we need it

This adds the provenance attestation and push the attestation to the same registry as the image.

Rehearsal: job: https://github.com/cpanato/dex/actions/runs/9252829376/job/25451249054

attestation: https://github.com/cpanato/dex/attestations/921641 and attestation image: ghcr.io/cpanato/dex@sha256:8e5d24d7a0f0fe95bbdf6722e1c724075d5d4c15cfa8d0ef4959f25103e12bac

to verify

$ gh attestation verify oci://ghcr.io/cpanato/dex@sha256:8e5d24d7a0f0fe95bbdf6722e1c724075d5d4c15cfa8d0ef4959f25103e12bac --owner cpanato
Loaded digest sha256:8e5d24d7a0f0fe95bbdf6722e1c724075d5d4c15cfa8d0ef4959f25103e12bac for oci://ghcr.io/cpanato/dex@sha256:8e5d24d7a0f0fe95bbdf6722e1c724075d5d4c15cfa8d0ef4959f25103e12bac
Loaded 1 attestation from GitHub API
✓ Verification succeeded!

sha256:8e5d24d7a0f0fe95bbdf6722e1c724075d5d4c15cfa8d0ef4959f25103e12bac was attested by:
REPO         PREDICATE_TYPE                  WORKFLOW
cpanato/dex  https://slsa.dev/provenance/v1  .github/workflows/artifacts.yaml@refs/tags/v9.9.1

xref: https://github.com/dexidp/dex/issues/2865

Special notes for your reviewer

cc @justaugustus @sagikazarmark

sagikazarmark commented 4 months ago

Thanks @cpanato !

justaugustus commented 4 months ago

Very nice; thanks @cpanato!

cpanato commented 4 months ago

@sagikazarmark @justaugustus you can check the attestation for the main branch here: https://github.com/dexidp/dex/attestations/929115