From c6c1da2962b8eec1bd4b07f4d400b0957acd173c Mon Sep 17 00:00:00 2001 From: Dan Urson Date: Mon, 16 Dec 2024 08:35:28 -0500 Subject: [PATCH 01/14] fix: Do not specify both path and digest --- .github/workflows/atlantis-image.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml index 08936ce74a..2b720b16a0 100644 --- a/.github/workflows/atlantis-image.yml +++ b/.github/workflows/atlantis-image.yml @@ -157,8 +157,7 @@ jobs: if: env.PUSH == 'true' uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 with: - subject-path: ${{ steps.build.outputs.image-name }}@${{ steps.build.outputs.digest }} - subject-digest: ${{ steps.build.outputs.digest }} + subject-path: ${{ steps.build.outputs.imageid }}@${{ steps.build.outputs.digest }} push-to-registry: true test: From e61f84fcf7d687d4a015b593a43406e0d2f65bc6 Mon Sep 17 00:00:00 2001 From: Dan Urson Date: Mon, 16 Dec 2024 11:01:32 -0500 Subject: [PATCH 02/14] break attestation into its own workflow Signed-off-by: Dan Urson --- .github/workflows/atlantis-image.yml | 7 ----- .github/workflows/attest-image-attest.yml | 36 +++++++++++++++++++++++ 2 files changed, 36 insertions(+), 7 deletions(-) create mode 100644 .github/workflows/attest-image-attest.yml diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml index 2b720b16a0..99e5e612cb 100644 --- a/.github/workflows/atlantis-image.yml +++ b/.github/workflows/atlantis-image.yml @@ -153,13 +153,6 @@ jobs: labels: ${{ steps.meta.outputs.labels }} outputs: type=image,name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }} - - name: "Sign and Attest Image" - if: env.PUSH == 'true' - uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 - with: - subject-path: ${{ steps.build.outputs.imageid }}@${{ steps.build.outputs.digest }} - push-to-registry: true - test: needs: [changes] if: needs.changes.outputs.should-run-build == 'true' diff --git a/.github/workflows/attest-image-attest.yml b/.github/workflows/attest-image-attest.yml new file mode 100644 index 0000000000..d3fcf9b224 --- /dev/null +++ b/.github/workflows/attest-image-attest.yml @@ -0,0 +1,36 @@ +name: attest-image + +on: + push: + branches: + - 'main' + - 'release-**' + tags: + - v*.*.* + pull_request: + branches: + - 'main' + - 'release-**' + types: + - opened + - reopened + - synchronize + - ready_for_review + workflow_run: + workflows: ["atlantis-image"] + types: + - completed + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +jobs: + attest: + runs-on: ubuntu-24.04 + steps: + - name: "Attest Image" + uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 + with: + subject-path: ghcr.io/${{ github.repository }}/atlantis:${{ github.sha }} + push-to-registry: true From 65cef3d337b688fac2cb419d44aa5621be6a11d2 Mon Sep 17 00:00:00 2001 From: Dan Urson Date: Mon, 16 Dec 2024 11:06:49 -0500 Subject: [PATCH 03/14] add permissions back to attestation workflow Signed-off-by: Dan Urson --- .github/workflows/attest-image-attest.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/attest-image-attest.yml b/.github/workflows/attest-image-attest.yml index d3fcf9b224..ec4f857982 100644 --- a/.github/workflows/attest-image-attest.yml +++ b/.github/workflows/attest-image-attest.yml @@ -28,6 +28,10 @@ concurrency: jobs: attest: runs-on: ubuntu-24.04 + permissions: + id-token: write + contents: read + attestations: write steps: - name: "Attest Image" uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 From c04187486edaabe4df7d7658ec8a1b8fd9a2c57d Mon Sep 17 00:00:00 2001 From: Dan Urson Date: Mon, 16 Dec 2024 11:15:39 -0500 Subject: [PATCH 04/14] delete independent attestation wf it's supposed to be contained in the build wf per github best practices Signed-off-by: Dan Urson --- .github/workflows/attest-image-attest.yml | 40 ----------------------- 1 file changed, 40 deletions(-) delete mode 100644 .github/workflows/attest-image-attest.yml diff --git a/.github/workflows/attest-image-attest.yml b/.github/workflows/attest-image-attest.yml deleted file mode 100644 index ec4f857982..0000000000 --- a/.github/workflows/attest-image-attest.yml +++ /dev/null @@ -1,40 +0,0 @@ -name: attest-image - -on: - push: - branches: - - 'main' - - 'release-**' - tags: - - v*.*.* - pull_request: - branches: - - 'main' - - 'release-**' - types: - - opened - - reopened - - synchronize - - ready_for_review - workflow_run: - workflows: ["atlantis-image"] - types: - - completed - -concurrency: - group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} - cancel-in-progress: true - -jobs: - attest: - runs-on: ubuntu-24.04 - permissions: - id-token: write - contents: read - attestations: write - steps: - - name: "Attest Image" - uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 - with: - subject-path: ghcr.io/${{ github.repository }}/atlantis:${{ github.sha }} - push-to-registry: true From 06365ad80488c1ee600cc9fb5dfd4dd6e7aa1184 Mon Sep 17 00:00:00 2001 From: Dan Urson Date: Mon, 16 Dec 2024 11:16:02 -0500 Subject: [PATCH 05/14] add back modified build workflow contains updated attestation step Signed-off-by: Dan Urson --- .github/workflows/atlantis-image.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml index 99e5e612cb..44ea87e12b 100644 --- a/.github/workflows/atlantis-image.yml +++ b/.github/workflows/atlantis-image.yml @@ -153,6 +153,13 @@ jobs: labels: ${{ steps.meta.outputs.labels }} outputs: type=image,name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }} + - name: "Sign and Attest Image" + if: env.PUSH == 'true' + uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 + with: + subject-path: ghcr.io/${{ github.repository }}:${{ steps.meta.outputs.tags }} + push-to-registry: true + test: needs: [changes] if: needs.changes.outputs.should-run-build == 'true' From 88b1b3f7a993ee6c3f6376707239cd941f7ba897 Mon Sep 17 00:00:00 2001 From: Dan Urson Date: Mon, 16 Dec 2024 11:43:58 -0500 Subject: [PATCH 06/14] aparently the tag is the path wtf Signed-off-by: Dan Urson --- .github/workflows/atlantis-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml index 44ea87e12b..efd13f383b 100644 --- a/.github/workflows/atlantis-image.yml +++ b/.github/workflows/atlantis-image.yml @@ -157,7 +157,7 @@ jobs: if: env.PUSH == 'true' uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 with: - subject-path: ghcr.io/${{ github.repository }}:${{ steps.meta.outputs.tags }} + subject-path: ${{ steps.meta.outputs.tags }} push-to-registry: true test: From 92f06f963d2c2e7b2bd98fb57e26151e72b248aa Mon Sep 17 00:00:00 2001 From: Dan Urson Date: Mon, 16 Dec 2024 12:25:43 -0500 Subject: [PATCH 07/14] try again with the bare repo name as the path Signed-off-by: Dan Urson --- .github/workflows/atlantis-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml index efd13f383b..21fee9c90f 100644 --- a/.github/workflows/atlantis-image.yml +++ b/.github/workflows/atlantis-image.yml @@ -157,7 +157,7 @@ jobs: if: env.PUSH == 'true' uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 with: - subject-path: ${{ steps.meta.outputs.tags }} + subject-path: ${{ env.DOCKER_REPO }} push-to-registry: true test: From d237ebc3170703a287914b9ee13c2a73a480d334 Mon Sep 17 00:00:00 2001 From: Robert Kugler Date: Mon, 16 Dec 2024 19:38:22 +0100 Subject: [PATCH 08/14] Test --- .github/workflows/atlantis-image.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml index 21fee9c90f..67a2149b3f 100644 --- a/.github/workflows/atlantis-image.yml +++ b/.github/workflows/atlantis-image.yml @@ -157,7 +157,8 @@ jobs: if: env.PUSH == 'true' uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 with: - subject-path: ${{ env.DOCKER_REPO }} + subject-digest: ${{ steps.$step.outputs.digest }} + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} push-to-registry: true test: From 2763d03af39932864b474fbdf093a5a801d7056d Mon Sep 17 00:00:00 2001 From: Robert Kugler Date: Mon, 16 Dec 2024 19:41:33 +0100 Subject: [PATCH 09/14] Fix digest --- .github/workflows/atlantis-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml index 67a2149b3f..a02593a9e7 100644 --- a/.github/workflows/atlantis-image.yml +++ b/.github/workflows/atlantis-image.yml @@ -157,7 +157,7 @@ jobs: if: env.PUSH == 'true' uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 with: - subject-digest: ${{ steps.$step.outputs.digest }} + subject-digest: ${{ steps.build.outputs.digest }} subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} push-to-registry: true From 6f8bc2be639715a0333947d588e4a0d46fdbd0d4 Mon Sep 17 00:00:00 2001 From: Robert Kugler Date: Mon, 16 Dec 2024 20:14:36 +0100 Subject: [PATCH 10/14] Fix subject name --- .github/workflows/atlantis-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml index a02593a9e7..2cae94b95e 100644 --- a/.github/workflows/atlantis-image.yml +++ b/.github/workflows/atlantis-image.yml @@ -158,7 +158,7 @@ jobs: uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 with: subject-digest: ${{ steps.build.outputs.digest }} - subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + subject-name: ghcr.io/notdurson/atlantis push-to-registry: true test: From 8b2b2d549654bcc840b8cc9b285bda3fc2e3fb16 Mon Sep 17 00:00:00 2001 From: Robert Kugler Date: Mon, 16 Dec 2024 20:37:53 +0100 Subject: [PATCH 11/14] Try variable --- .github/workflows/atlantis-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml index 2cae94b95e..86900b9254 100644 --- a/.github/workflows/atlantis-image.yml +++ b/.github/workflows/atlantis-image.yml @@ -158,7 +158,7 @@ jobs: uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 with: subject-digest: ${{ steps.build.outputs.digest }} - subject-name: ghcr.io/notdurson/atlantis + subject-name: ghcr.io/${{ github.repository }} push-to-registry: true test: From 62a6526ddfd330a1c3e0e6905fceadb7ed3f5276 Mon Sep 17 00:00:00 2001 From: Dan Urson Date: Tue, 17 Dec 2024 13:55:31 -0500 Subject: [PATCH 12/14] do not use extra unnecessary permisisons in build step Signed-off-by: Dan Urson --- .github/workflows/atlantis-image.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml index 86900b9254..beab1016f5 100644 --- a/.github/workflows/atlantis-image.yml +++ b/.github/workflows/atlantis-image.yml @@ -47,8 +47,6 @@ jobs: name: Build Image permissions: id-token: write - packages: write - contents: read attestations: write strategy: matrix: @@ -154,7 +152,6 @@ jobs: outputs: type=image,name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }} - name: "Sign and Attest Image" - if: env.PUSH == 'true' uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 with: subject-digest: ${{ steps.build.outputs.digest }} From f3b24eca09df37e1c47e5e9990fd21c7d799f125 Mon Sep 17 00:00:00 2001 From: Dan Urson Date: Tue, 17 Dec 2024 14:17:38 -0500 Subject: [PATCH 13/14] yes we actually need packages:write Signed-off-by: Dan Urson --- .github/workflows/atlantis-image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml index beab1016f5..5cfe77bb2d 100644 --- a/.github/workflows/atlantis-image.yml +++ b/.github/workflows/atlantis-image.yml @@ -47,6 +47,7 @@ jobs: name: Build Image permissions: id-token: write + packages: write attestations: write strategy: matrix: From 5cf546ef9d63a24880b74cca532418cb7dd324c7 Mon Sep 17 00:00:00 2001 From: Dan Urson Date: Thu, 19 Dec 2024 12:06:03 -0500 Subject: [PATCH 14/14] re-add gate to run attestation on push Signed-off-by: Dan Urson --- .github/workflows/atlantis-image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml index 68d6c79e45..2ad42b7855 100644 --- a/.github/workflows/atlantis-image.yml +++ b/.github/workflows/atlantis-image.yml @@ -154,6 +154,7 @@ jobs: outputs: type=image,name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }} - name: "Sign and Attest Image" + if: env.PUSH == 'true' uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 with: subject-digest: ${{ steps.build.outputs.digest }}