Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add ability to attest the supplied multi-arch image #3875

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .github/workflows/generator_container_slsa3.yml
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,11 @@ on:
description: "If set, provenance is pushed to this registry instead of image registry."
required: false
type: string
recursive:
description: "If set, for the specified multi-arch image, additionally sign each discrete image."
required: false
type: boolean
default: false
outputs:
# Note: we use this output because there is no buildt-in `outcome` and `result` is always `success`
# if `continue-on-error` is set to `true`.
Expand Down Expand Up @@ -268,6 +273,7 @@ jobs:
GITHUB_CONTEXT: "${{ toJSON(github) }}"
VARS_CONTEXT: "${{ toJSON(vars) }}"
UNTRUSTED_PROVENANCE_REPOSITORY: "${{ inputs.provenance-repository }}"
RECURSIVE: "${{ inputs.recursive }}"
run: |
set -euo pipefail

Expand All @@ -283,6 +289,7 @@ jobs:
cosign attest --predicate="$predicate_name" \
--type slsaprovenance \
--yes \
--recursive="${RECURSIVE}" \
"${UNTRUSTED_IMAGE}@${UNTRUSTED_DIGEST}"

- name: Final outcome
Expand Down
20 changes: 14 additions & 6 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

- [Unreleased](#unreleased)
- [Unreleased: Vars context recorded in provenance](#unreleased-vars-context-recorded-in-provenance)
- [Container generator](#container-generator)
- [New Features](#new-features)
- [v2.0.0](#v200)
- [v2.0.0: Breaking Change: upload-artifact and download-artifact](#v200-breaking-change-upload-artifact-and-download-artifact)
- [v2.0.0: Breaking Change: attestation-name Workflow Input and Output](#v200-breaking-change-attestation-name-workflow-input-and-output)
Expand All @@ -33,19 +35,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- [v1.6.0](#v160)
- [Summary of changes](#summary-of-changes)
- [Go builder](#go-builder)
- [New Features](#new-features)
- [Generic generator](#generic-generator)
- [New Features](#new-features-1)
- [Container generator](#container-generator)
- [Generic generator](#generic-generator)
- [New Features](#new-features-2)
- [Container generator](#container-generator-1)
- [Changelog since v1.5.0](#changelog-since-v150)
- [v1.5.0](#v150)
- [Summary of changes](#summary-of-changes-1)
- [Go builder](#go-builder-1)
- [New Features](#new-features-2)
- [Generic generator](#generic-generator-1)
- [New Features](#new-features-3)
- [Container generator](#container-generator-1)
- [Generic generator](#generic-generator-1)
- [New Features](#new-features-4)
- [Container generator](#container-generator-2)
- [New Features](#new-features-5)
- [Changelog since v1.4.0](#changelog-since-v140)
- [v1.4.0](#v140)
- [What's Changed](#whats-changed)
Expand Down Expand Up @@ -112,6 +114,12 @@ duplication."
container generators. The `vars` context cannot affect the build in the Go
builder so it is not recorded.

#### Container generator

##### New Features

- A new [`recursive`](https://github.com/slsa-framework/slsa-github-generator/blob/v1.5.0/internal/builders/container/README.md#workflow-inputs) input was added to allow users to pass `--recursive` option to the provenance attestation, usefull when signing `multi-arch` images.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- A new [`recursive`](https://github.com/slsa-framework/slsa-github-generator/blob/v1.5.0/internal/builders/container/README.md#workflow-inputs) input was added to allow users to pass `--recursive` option to the provenance attestation, usefull when signing `multi-arch` images.
- A new [`recursive`](./internal/builders/container/README.md#workflow-inputs) input was added to allow users to pass `--recursive` option to the provenance attestation, usefull when signing `multi-arch` images.


## v2.0.0

### v2.0.0: Breaking Change: upload-artifact and download-artifact
Expand Down
1 change: 1 addition & 0 deletions internal/builders/container/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,7 @@ Inputs:
| `gcp-service-account` | Email address or unique identifier of the Google Cloud service account for which to generate credentials. For example:<br>`[email protected]` |
| `provenance-registry-username` | Username when publishing to provenance registry (option 'provenance-registry') instead of image registry. Either `provenance-registry-username` input or `provenance-registry-username` secret is required. |
| `provenance-registry` | If set, provenance is pushed to this registry instead of image registry. (e.g. `gcr.io/my-new-repo`) |
| `recursive` | If set, attestation is performed recursively on the image. Usefull when a multi-arch image is used. |
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| `recursive` | If set, attestation is performed recursively on the image. Usefull when a multi-arch image is used. |
| `recursive` | If set, attestation is performed recursively on each of the images. Useful when a multi-arch image is used. |


Secrets:

Expand Down
Loading