Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: add attestation to container images and SBOMs #1789

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

ci: add attestation to container images and SBOMs #1789

wants to merge 1 commit into from
+19 −0

Conversation

arthurus-rex
Copy link
Contributor

Add in-toto attestation to all image-building ci workflows, for both SBOMs (image.yml) and images themselves (all 3 workflows). Allow necessary permissions to attest (attestations, packages).

@SamYuan1990
Copy link
Collaborator

Attestations bind some subject (a named artifact along with its digest) to a SLSA build provenance predicate using the in-toto format.

A verifiable signature is generated for the attestation using a short-lived Sigstore-issued signing certificate. If the repository initiating the GitHub Actions workflow is public, the public-good instance of Sigstore will be used to generate the attestation signature. If the repository is private/internal, it will use the GitHub private Sigstore instance.

ref to https://github.com/actions/attest-build-provenance
well, I am open for SLSA, sigstore or any openSSF kind structure in CI approach.
But, or well...
https://github.com/sustainable-computing-io/kepler/actions/runs/10931316693/job/30346044739?pr=1789
it should not in PR image build, IMO, it's valuable as user will use release image or daily image(which is latest tag image).

I am not sure if we need additional project configuration for sigstore, @rootfs , could you please advise?
at least within this PR, it seems we need a github token.
https://github.com/actions/attest-build-provenance?tab=readme-ov-file#inputs
or @arthurus-rex , ref to github token settings, it seems PR(as PR owner is from a fork repo) can't use upstream repo's github token setting as security reason, please update code, remove/update settings for this github action. I suppose we don't need push to reg for each PR.

@arthurus-rex
Copy link
Contributor Author

arthurus-rex commented Sep 19, 2024
edited
Loading

@SamYuan1990 sounds good, I think removing the attestation from image_pr.yml makes sense. The attestation in general was suggested to me by @dave-tucker (tagged in case he has any input/suggestions here). I will update this PR over the next 1-2 days.

Follow-up question: Is there a reason we are pushing to registry at all for PRs?

@SamYuan1990
Copy link
Collaborator

SamYuan1990 commented Sep 19, 2024
edited
Loading

@SamYuan1990 sounds good, I think removing the attestation from image_pr.yml makes sense. The attestation in general was suggested to me by @dave-tucker (tagged in case he has any input/suggestions here). I will update this PR over the next 1-2 days.

Follow-up question: Is there a reason we are pushing to registry at all for PRs?

IMO for PR level,
https://github.com/sustainable-computing-io/kepler/blob/main/.github/workflows/pull_request.yml#L50
the push image is set to false, so for each PR we should not push image.

https://github.com/sustainable-computing-io/kepler/blob/main/.github/workflows/image_pr.yml#L4 is working with workflow_dispatch. so when we need to debug/test a pr image/pr version, someone will manual build the image and upload it.

https://quay.io/repository/sustainable_computing_io/kepler?tab=tags&tag=latest which same as image tags you see on quay io.

@arthurus-rex
ci: add attestation to container images and SBOMs
d84261a 
Add in-toto attestation to base image ci workflows, for both
SBOMs and images themselves upon build and push. Allow necessary
permissions to attest (attestations, packages) on these workflows.

Signed-off-by: Arthur Savage <[email protected]>
@arthurus-rex
Copy link
Contributor Author

I removed the attestation on PR and restricted permissions where possible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@arthurus-rex @SamYuan1990