Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: attest build provenance for images #87

Merged
merged 2 commits into from
Jul 1, 2024
Merged

ci: attest build provenance for images #87

merged 2 commits into from
Jul 1, 2024

Conversation

blocktrron
Copy link
Member

This PR adds GitHubs functionality of attesting proof a artifact object is generated from the GitHub actions CI and it's respective commit.

My goal with the usage of GitHub Actions for the ffda firmware was initially to ensure transparency of how and from which references the images are built. I see this functionality as another great step towards ensuring transparency (even though nobody will probably ever use it).

This is a example run: https://github.com/blocktrron/site-ffda/actions/runs/9636954817

More Info:
https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/

@blocktrron
Copy link
Member Author

Also i think it makes sense (according to the docs) to attest the manifests.

We can also do this at a later stage, as I'm unsure on which conditions this should be done and how to reflect it in the build pipeline.

So let's tackle this step by step.

@blocktrron blocktrron merged commit 81d70d3 into freifunk-darmstadt:master Jul 1, 2024
26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@blocktrron