-
Notifications
You must be signed in to change notification settings - Fork 128
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Add ability to attest the supplied multi-arch image #3875
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Danil Grigorev <[email protected]>
@Danil-Grigorev Hi! Thanks for this. It looks great. Could you update the docs with this new option? Could you add an entry to the CHANGELOG.md? |
cb751e1
to
4d135a6
Compare
Signed-off-by: Danil-Grigorev <[email protected]>
4d135a6
to
af1f497
Compare
@@ -216,6 +216,7 @@ Inputs: | |||
| `gcp-service-account` | Email address or unique identifier of the Google Cloud service account for which to generate credentials. For example:<br>`[email protected]` | | |||
| `provenance-registry-username` | Username when publishing to provenance registry (option 'provenance-registry') instead of image registry. Either `provenance-registry-username` input or `provenance-registry-username` secret is required. | | |||
| `provenance-registry` | If set, provenance is pushed to this registry instead of image registry. (e.g. `gcr.io/my-new-repo`) | | |||
| `recursive` | If set, attestation is performed recursively on the image. Usefull when a multi-arch image is used. | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
| `recursive` | If set, attestation is performed recursively on the image. Usefull when a multi-arch image is used. | | |
| `recursive` | If set, attestation is performed recursively on each of the images. Useful when a multi-arch image is used. | |
|
||
##### New Features | ||
|
||
- A new [`recursive`](https://github.com/slsa-framework/slsa-github-generator/blob/v1.5.0/internal/builders/container/README.md#workflow-inputs) input was added to allow users to pass `--recursive` option to the provenance attestation, usefull when signing `multi-arch` images. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- A new [`recursive`](https://github.com/slsa-framework/slsa-github-generator/blob/v1.5.0/internal/builders/container/README.md#workflow-inputs) input was added to allow users to pass `--recursive` option to the provenance attestation, usefull when signing `multi-arch` images. | |
- A new [`recursive`](./internal/builders/container/README.md#workflow-inputs) input was added to allow users to pass `--recursive` option to the provenance attestation, usefull when signing `multi-arch` images. |
@Danil-Grigorev Were you able to test this in any way, perhaps on your own fork? |
Summary
When using docker buildx to build multi-arch images, SLSA workflow may need to recursively attest underlying images for the multi-arch build.
This is possible using
--recursive=true
according to thecosign attest
help:This change allows to provide
recursive
input flag in the workflow....
Testing Process
...
Checklist