diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml index 5ef7bcb1a3..b6fad55607 100644 --- a/.github/workflows/generator_container_slsa3.yml +++ b/.github/workflows/generator_container_slsa3.yml @@ -87,6 +87,11 @@ on: description: "If set, provenance is pushed to this registry instead of image registry." required: false type: string + recursive: + description: "If set, for the specified multi-arch image, additionally sign each discrete image." + required: false + type: boolean + default: false outputs: # Note: we use this output because there is no buildt-in `outcome` and `result` is always `success` # if `continue-on-error` is set to `true`. @@ -268,6 +273,7 @@ jobs: GITHUB_CONTEXT: "${{ toJSON(github) }}" VARS_CONTEXT: "${{ toJSON(vars) }}" UNTRUSTED_PROVENANCE_REPOSITORY: "${{ inputs.provenance-repository }}" + RECURSIVE: "${{ inputs.recursive }}" run: | set -euo pipefail @@ -283,6 +289,7 @@ jobs: cosign attest --predicate="$predicate_name" \ --type slsaprovenance \ --yes \ + --recursive="${RECURSIVE}" \ "${UNTRUSTED_IMAGE}@${UNTRUSTED_DIGEST}" - name: Final outcome diff --git a/CHANGELOG.md b/CHANGELOG.md index 6b9a7e3fef..9aefe2873e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - [Unreleased](#unreleased) - [Unreleased: Vars context recorded in provenance](#unreleased-vars-context-recorded-in-provenance) + - [Container generator](#container-generator) + - [New Features](#new-features) - [v2.0.0](#v200) - [v2.0.0: Breaking Change: upload-artifact and download-artifact](#v200-breaking-change-upload-artifact-and-download-artifact) - [v2.0.0: Breaking Change: attestation-name Workflow Input and Output](#v200-breaking-change-attestation-name-workflow-input-and-output) @@ -33,19 +35,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - [v1.6.0](#v160) - [Summary of changes](#summary-of-changes) - [Go builder](#go-builder) - - [New Features](#new-features) - - [Generic generator](#generic-generator) - [New Features](#new-features-1) - - [Container generator](#container-generator) + - [Generic generator](#generic-generator) + - [New Features](#new-features-2) + - [Container generator](#container-generator-1) - [Changelog since v1.5.0](#changelog-since-v150) - [v1.5.0](#v150) - [Summary of changes](#summary-of-changes-1) - [Go builder](#go-builder-1) - - [New Features](#new-features-2) - - [Generic generator](#generic-generator-1) - [New Features](#new-features-3) - - [Container generator](#container-generator-1) + - [Generic generator](#generic-generator-1) - [New Features](#new-features-4) + - [Container generator](#container-generator-2) + - [New Features](#new-features-5) - [Changelog since v1.4.0](#changelog-since-v140) - [v1.4.0](#v140) - [What's Changed](#whats-changed) @@ -112,6 +114,12 @@ duplication." container generators. The `vars` context cannot affect the build in the Go builder so it is not recorded. +#### Container generator + +##### New Features + +- A new [`recursive`](https://github.com/slsa-framework/slsa-github-generator/blob/v1.5.0/internal/builders/container/README.md#workflow-inputs) input was added to allow users to pass `--recursive` option to the provenance attestation, usefull when signing `multi-arch` images. + ## v2.0.0 ### v2.0.0: Breaking Change: upload-artifact and download-artifact diff --git a/internal/builders/container/README.md b/internal/builders/container/README.md index 4185ad4e16..815236977d 100644 --- a/internal/builders/container/README.md +++ b/internal/builders/container/README.md @@ -216,6 +216,7 @@ Inputs: | `gcp-service-account` | Email address or unique identifier of the Google Cloud service account for which to generate credentials. For example:
`my-service-account@my-project.iam.gserviceaccount.com` | | `provenance-registry-username` | Username when publishing to provenance registry (option 'provenance-registry') instead of image registry. Either `provenance-registry-username` input or `provenance-registry-username` secret is required. | | `provenance-registry` | If set, provenance is pushed to this registry instead of image registry. (e.g. `gcr.io/my-new-repo`) | +| `recursive` | If set, attestation is performed recursively on the image. Usefull when a multi-arch image is used. | Secrets: