Open ianlewis opened 2 years ago
ianlewis
commented
2 years ago A good point of comparison would be the docker actions for building and pushing images. They use buildx in their case and support building for different architectures using qemu. https://github.com/marketplace/actions/build-and-push-docker-images
chipzoller
commented
2 years ago Generating a provenance based off a Dockerfile is a great start. You may also want to see how the same could be done for builds using tools like ko and buildpacks. These are both very popular alternatives to managing Dockerfiles.
ianlewis
commented
2 years ago For sure. I think @laurentsimon shared https://github.com/laurentsimon/slsa-github-generator-ko with you on slack maybe, but the idea is we will eventually merge that workflow here as well.
Buildpacks is a good idea but I think getting provenance generation for simple Dockerfiles working is probably a higher priority for now. We're happy to take issues and contributions if folks want to take on specific workflows or features.
tahirraza
commented
2 years ago This sounds like it can be a very useful workflow. Any progress on it? Doesn't look like it has been picked yet.
rbehjati
commented
2 years ago This sounds like it can be a very useful workflow. Any progress on it? Doesn't look like it has been picked yet.
Here is the top-level tracking issue: https://github.com/project-oak/transparent-release/issues/145 We hope to have an initial version by the end of Q4'22.
raoganeshr
commented
1 year ago Is this done?
laurentsimon
commented
1 year ago It is not. @ianlewis started it but it's not complete yet. Maybe in the meantime you could use:
We can provide a builder which builds a Docker image based on a Dockerfile as the build artifact and generate SLSA provenance for it.