Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add image attestation workflow step #5158

Open
wants to merge 17 commits into
base: main
Choose a base branch
from
Open

feat: add image attestation workflow step #5158

wants to merge 17 commits into from
+13 −0

Conversation

notdurson
Copy link

@notdurson notdurson commented Dec 12, 2024
edited by nitrocode
Loading

what

  • This change adds a step to the container build workflow which signs the resulting images and stores the attestation/signature for review by users.

why

tests

  • local cosign run was successful.

references

@notdurson notdurson requested review from a team as code owners December 12, 2024 20:59
@notdurson notdurson requested review from GenPage, nitrocode and X-Guardian and removed request for a team December 12, 2024 20:59
@dosubot dosubot bot added the docker Pull requests that update Docker code label Dec 12, 2024
@jamengual jamengual changed the title add image attestation workflow step fix: add image attestation workflow step Dec 12, 2024
@bmbeverst
Copy link

Looks like this needs some additional permissions per step one of the action's docs.

@notdurson
Copy link
Author

I can't see the vuln that Fossa's complaining about. @nitrocode can you take a look?

@jamengual
Copy link
Contributor

image

notdurson and others added 4 commits December 13, 2024 07:36
@notdurson @robertchrk
Update .github/workflows/atlantis-image.yml
c72259d 
Per @robertchrk, reference `image-name@digest` instead of `name`

Co-authored-by: Robert Kugler <[email protected]>
Signed-off-by: Dan Urson <[email protected]>
@notdurson @robertchrk
Update .github/workflows/atlantis-image.yml
9abb1db 
Co-authored-by: Robert Kugler <[email protected]>
Signed-off-by: Dan Urson <[email protected]>
@notdurson
Merge branch 'main' into signing-and-sbom
6d7f2f7
@notdurson
fix: identify build
c5f931e 
Signed-off-by: Dan Urson <[email protected]>
@nitrocode
Copy link
Member

Thanks for the contribution!

Could you test this out in your fork by merging your signing-and-sbom branch into your fork's main branch? That should trigger a push and then we can then look at the released image to see if it successfully added image attestation.

@chenrui333 chenrui333 added the feature New functionality/enhancement label Dec 15, 2024
@chenrui333
Copy link
Member

the vulnerbility issue should be fixed per #5165

chenrui333
chenrui333 previously approved these changes Dec 15, 2024
View reviewed changes
Copy link
Member

@chenrui333 chenrui333 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Dec 15, 2024
@chenrui333 chenrui333 changed the title fix: add image attestation workflow step feat: add image attestation workflow step Dec 15, 2024
notdurson and others added 2 commits December 16, 2024 08:08
@notdurson
Merge branch 'main' into signing-and-sbom
44880f8
@notdurson @robertchrk
fix: Sign images using digest/repo instead of path
de0084a 
break attestation into its own workflow

Signed-off-by: Dan Urson <[email protected]>

add permissions back to attestation workflow

Signed-off-by: Dan Urson <[email protected]>

delete independent attestation wf

it's supposed to be contained in the build wf per github best practices

Signed-off-by: Dan Urson <[email protected]>

add back modified build workflow

contains updated attestation step

Signed-off-by: Dan Urson <[email protected]>

aparently the tag is the path wtf

Signed-off-by: Dan Urson <[email protected]>

try again with the bare repo name as the path

Signed-off-by: Dan Urson <[email protected]>

Test

Signed-off-by: Dan Urson <[email protected]>
Co-authored-by: Robert Kugler <[email protected]>

Fix digest

Signed-off-by: Dan Urson <[email protected]>
Co-authored-by: Robert Kugler <[email protected]>

Fix subject name

Signed-off-by: Dan Urson <[email protected]>
Co-authored-by: Robert Kugler <[email protected]>

Try variable

Signed-off-by: Dan Urson <[email protected]>
Co-authored-by: Robert Kugler <[email protected]>
@notdurson
Copy link
Author

@nitrocode @chenrui333 Friends, thank you for your patience. We conducted some additional tests and were able to successfully sign/attest to an image in my fork.

I would appreciate it if you could review the most recent commit here, and give it a maintainer-grade 👍 if you're okay with it.

@notdurson
Copy link
Author

notdurson commented Dec 18, 2024
edited
Loading

@jamengual ok - it's still failing, but that's expected. it's because we're hitting this issue in the attest-build-provenance action - tl;dr, the action won't run if it's run as part of a merge from a fork, the merge has to be completed from a branch in the same repo.

in my fork, the attestation works on the latest build. are you comfortable approving a merge with this in mind?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@robertchrk robertchrk robertchrk left review comments

@nitrocode nitrocode nitrocode left review comments

@jamengual jamengual jamengual left review comments

@chenrui333 chenrui333 chenrui333 left review comments

@GenPage GenPage Awaiting requested review from GenPage GenPage is a code owner automatically assigned from runatlantis/maintainers

@X-Guardian X-Guardian Awaiting requested review from X-Guardian X-Guardian is a code owner automatically assigned from runatlantis/core-contributors

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
docker Pull requests that update Docker code feature New functionality/enhancement github-actions lgtm This PR has been approved by a maintainer
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Start signing Atlantis containers and providing signatures/SBOMs for new releases
6 participants
@notdurson @bmbeverst @jamengual @nitrocode @chenrui333 @robertchrk