From 20916e8f90f295b5824b530ade98e9a6abf6094e Mon Sep 17 00:00:00 2001 From: Dan Urson Date: Thu, 12 Dec 2024 15:55:14 -0500 Subject: [PATCH 01/13] add image attestation workflow step Signed-off-by: Dan Urson --- .github/workflows/atlantis-image.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml index 011050dbc4..02747bfb6a 100644 --- a/.github/workflows/atlantis-image.yml +++ b/.github/workflows/atlantis-image.yml @@ -146,6 +146,10 @@ jobs: target: ${{ matrix.image_type }} labels: ${{ steps.meta.outputs.labels }} outputs: type=image,name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }} + - name: "Attest Image" + uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 + with: + subject-path: ${{ steps.meta.outputs.tags }} test: needs: [changes] From 3f8810276b565b9be87b50b68d4fb6f388282929 Mon Sep 17 00:00:00 2001 From: Dan Urson Date: Thu, 12 Dec 2024 16:09:58 -0500 Subject: [PATCH 02/13] feat: add image attestation workflow step Signed-off-by: Dan Urson --- .github/workflows/atlantis-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml index 02747bfb6a..c83ea89203 100644 --- a/.github/workflows/atlantis-image.yml +++ b/.github/workflows/atlantis-image.yml @@ -146,7 +146,7 @@ jobs: target: ${{ matrix.image_type }} labels: ${{ steps.meta.outputs.labels }} outputs: type=image,name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }} - - name: "Attest Image" + - name: "Sign and Attest Image" uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 with: subject-path: ${{ steps.meta.outputs.tags }} From 965eea6185ae2a2fe0656bfd6e15ad8945092d29 Mon Sep 17 00:00:00 2001 From: Dan Urson Date: Thu, 12 Dec 2024 16:14:14 -0500 Subject: [PATCH 03/13] add required permissions to workflow step Signed-off-by: Dan Urson --- .github/workflows/atlantis-image.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml index c83ea89203..8bbdf7912f 100644 --- a/.github/workflows/atlantis-image.yml +++ b/.github/workflows/atlantis-image.yml @@ -45,6 +45,11 @@ jobs: needs: [changes] if: needs.changes.outputs.should-run-build == 'true' name: Build Image + permissions: + id-token: write + packages: write + contents: read + attestations: write strategy: matrix: image_type: [alpine, debian] From 1ca63df93f59afa31ad3c10b46b4828be779cb10 Mon Sep 17 00:00:00 2001 From: Dan Urson Date: Thu, 12 Dec 2024 17:34:46 -0500 Subject: [PATCH 04/13] fix: change subject-path to name. add digest and push to registry Signed-off-by: Dan Urson --- .github/workflows/atlantis-image.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml index 8bbdf7912f..aba88c8884 100644 --- a/.github/workflows/atlantis-image.yml +++ b/.github/workflows/atlantis-image.yml @@ -154,7 +154,9 @@ jobs: - name: "Sign and Attest Image" uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 with: - subject-path: ${{ steps.meta.outputs.tags }} + subject-path: ${{ steps.build.outputs.name }} + subject-digest: ${{ steps.build.outputs.digest }} + push-to-registry: true test: needs: [changes] From c72259dc7d72942fd0a8bbd2474ead414b7fbb1a Mon Sep 17 00:00:00 2001 From: Dan Urson Date: Fri, 13 Dec 2024 07:36:46 -0500 Subject: [PATCH 05/13] Update .github/workflows/atlantis-image.yml Per @robertchrk, reference `image-name@digest` instead of `name` Co-authored-by: Robert Kugler Signed-off-by: Dan Urson --- .github/workflows/atlantis-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml index aba88c8884..57862ec3bd 100644 --- a/.github/workflows/atlantis-image.yml +++ b/.github/workflows/atlantis-image.yml @@ -154,7 +154,7 @@ jobs: - name: "Sign and Attest Image" uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 with: - subject-path: ${{ steps.build.outputs.name }} + subject-path: ${{ steps.build.outputs.image-name }}@${{ steps.build.outputs.digest }} subject-digest: ${{ steps.build.outputs.digest }} push-to-registry: true From 9abb1db3d16ac1f47f23da9f907c8946036f4601 Mon Sep 17 00:00:00 2001 From: Dan Urson Date: Fri, 13 Dec 2024 07:37:08 -0500 Subject: [PATCH 06/13] Update .github/workflows/atlantis-image.yml Co-authored-by: Robert Kugler Signed-off-by: Dan Urson --- .github/workflows/atlantis-image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml index 57862ec3bd..85e5ba9fe2 100644 --- a/.github/workflows/atlantis-image.yml +++ b/.github/workflows/atlantis-image.yml @@ -152,6 +152,7 @@ jobs: labels: ${{ steps.meta.outputs.labels }} outputs: type=image,name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }} - name: "Sign and Attest Image" + if: env.PUSH == 'true' uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 with: subject-path: ${{ steps.build.outputs.image-name }}@${{ steps.build.outputs.digest }} From c5f931e82fb20f2d02551a853bbfd2f1058a5a4a Mon Sep 17 00:00:00 2001 From: Dan Urson Date: Fri, 13 Dec 2024 08:07:27 -0500 Subject: [PATCH 07/13] fix: identify build Signed-off-by: Dan Urson --- .github/workflows/atlantis-image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml index 85e5ba9fe2..dbc771f45c 100644 --- a/.github/workflows/atlantis-image.yml +++ b/.github/workflows/atlantis-image.yml @@ -134,6 +134,7 @@ jobs: run: echo "RELEASE_VERSION=${{ startsWith(github.ref, 'refs/tags/') && '${GITHUB_REF#refs/*/}' || 'dev' }}" >> $GITHUB_ENV - name: "Build ${{ env.PUSH == 'true' && 'and push' || '' }} ${{ env.DOCKER_REPO }} image" + id: build if: contains(fromJson('["push", "pull_request"]'), github.event_name) uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6 with: From f503fa7d8cd314431bb6094df97860d2eaf55e10 Mon Sep 17 00:00:00 2001 From: Rui Chen Date: Sun, 15 Dec 2024 16:45:16 -0500 Subject: [PATCH 08/13] Update .github/workflows/atlantis-image.yml Co-authored-by: RB <7775707+nitrocode@users.noreply.github.com> Signed-off-by: Rui Chen --- .github/workflows/atlantis-image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml index dbc771f45c..08936ce74a 100644 --- a/.github/workflows/atlantis-image.yml +++ b/.github/workflows/atlantis-image.yml @@ -152,6 +152,7 @@ jobs: target: ${{ matrix.image_type }} labels: ${{ steps.meta.outputs.labels }} outputs: type=image,name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }} + - name: "Sign and Attest Image" if: env.PUSH == 'true' uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 From de0084a77c0a97224b4e966bfb458d7b4bed7a31 Mon Sep 17 00:00:00 2001 From: Dan Urson Date: Mon, 16 Dec 2024 08:35:28 -0500 Subject: [PATCH 09/13] fix: Sign images using digest/repo instead of path break attestation into its own workflow Signed-off-by: Dan Urson add permissions back to attestation workflow Signed-off-by: Dan Urson delete independent attestation wf it's supposed to be contained in the build wf per github best practices Signed-off-by: Dan Urson add back modified build workflow contains updated attestation step Signed-off-by: Dan Urson aparently the tag is the path wtf Signed-off-by: Dan Urson try again with the bare repo name as the path Signed-off-by: Dan Urson Test Signed-off-by: Dan Urson Co-authored-by: Robert Kugler Fix digest Signed-off-by: Dan Urson Co-authored-by: Robert Kugler Fix subject name Signed-off-by: Dan Urson Co-authored-by: Robert Kugler Try variable Signed-off-by: Dan Urson Co-authored-by: Robert Kugler --- .github/workflows/atlantis-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml index 08936ce74a..86900b9254 100644 --- a/.github/workflows/atlantis-image.yml +++ b/.github/workflows/atlantis-image.yml @@ -157,8 +157,8 @@ jobs: if: env.PUSH == 'true' uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 with: - subject-path: ${{ steps.build.outputs.image-name }}@${{ steps.build.outputs.digest }} subject-digest: ${{ steps.build.outputs.digest }} + subject-name: ghcr.io/${{ github.repository }} push-to-registry: true test: From 7cbdb53e2140483c788a0f50322f090ec635301b Mon Sep 17 00:00:00 2001 From: Dan Urson Date: Tue, 17 Dec 2024 13:18:42 -0500 Subject: [PATCH 10/13] remove unnecessary permissions in build step. Signed-off-by: Dan Urson --- .github/workflows/atlantis-image.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml index 86900b9254..f69ffb857b 100644 --- a/.github/workflows/atlantis-image.yml +++ b/.github/workflows/atlantis-image.yml @@ -47,8 +47,6 @@ jobs: name: Build Image permissions: id-token: write - packages: write - contents: read attestations: write strategy: matrix: From 01ad76a538bae88064714fdf617677adfac5bd2f Mon Sep 17 00:00:00 2001 From: Dan Urson Date: Tue, 17 Dec 2024 13:45:47 -0500 Subject: [PATCH 11/13] remove conditional for image attestation step Signed-off-by: Dan Urson --- .github/workflows/atlantis-image.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml index f69ffb857b..beab1016f5 100644 --- a/.github/workflows/atlantis-image.yml +++ b/.github/workflows/atlantis-image.yml @@ -152,7 +152,6 @@ jobs: outputs: type=image,name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }} - name: "Sign and Attest Image" - if: env.PUSH == 'true' uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 with: subject-digest: ${{ steps.build.outputs.digest }} From 177e1a87cf00d83b7f76cde0e262277baca5cf23 Mon Sep 17 00:00:00 2001 From: Dan Urson Date: Tue, 17 Dec 2024 14:17:38 -0500 Subject: [PATCH 12/13] yes we actually need packages:write Signed-off-by: Dan Urson --- .github/workflows/atlantis-image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml index beab1016f5..5cfe77bb2d 100644 --- a/.github/workflows/atlantis-image.yml +++ b/.github/workflows/atlantis-image.yml @@ -47,6 +47,7 @@ jobs: name: Build Image permissions: id-token: write + packages: write attestations: write strategy: matrix: From d0c48e70657ddc97705bd67c3af053eed27edf60 Mon Sep 17 00:00:00 2001 From: Dan Urson Date: Wed, 18 Dec 2024 11:36:34 -0500 Subject: [PATCH 13/13] add contents:read back to permissions Signed-off-by: Dan Urson --- .github/workflows/atlantis-image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml index 5cfe77bb2d..8fd0df0929 100644 --- a/.github/workflows/atlantis-image.yml +++ b/.github/workflows/atlantis-image.yml @@ -46,6 +46,7 @@ jobs: if: needs.changes.outputs.should-run-build == 'true' name: Build Image permissions: + contents: read id-token: write packages: write attestations: write