Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: switch to GitHub attestations #687

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

chore: switch to GitHub attestations #687

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
ed0e843
chore: only run social-interaction on opened events
rjaegers Jan 8, 2025
82a9474
chore: switch to GitHub attestations
rjaegers Jan 8, 2025
b68b33f
chore: fix verify step and linter findings
rjaegers Jan 8, 2025
693ed26
chore: remove provenance from image
rjaegers Jan 8, 2025
a6ef545
docs: added new verification commands
rjaegers Jan 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 12 additions & 11 deletions .github/workflows/build-push.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,13 +22,13 @@ jobs:
build-push:
runs-on: ubuntu-latest
permissions:
attestations: write
# dependency-submission needs contents write permission.
contents: write
# attest-build-provenance needs id-token write permission.
id-token: write
packages: write
pull-requests: write
# This is used to complete the identity challenge
# with sigstore/fulcio when running outside of PRs.
id-token: write
strategy:
matrix:
flavor: ["cpp", "rust"]
Expand All @@ -39,8 +39,6 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
if: github.event_name != 'merge_group'
- uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
if: github.event_name != 'merge_group'
Expand Down Expand Up @@ -98,7 +96,6 @@ jobs:
devcontainer.metadata=${{ steps.devcontainer-metadata.outputs.metadata }}
annotations: ${{ steps.metadata.outputs.annotations }}
sbom: true
provenance: true
cache-from: type=gha,scope=${{ github.repository }}-${{ matrix.flavor }}
cache-to: type=gha,mode=max,scope=${{ github.repository }}-${{ matrix.flavor }}
- uses: ./.github/actions/container-size-diff
Expand All @@ -121,14 +118,18 @@ jobs:
with:
comment-summary-in-pr: on-failure
fail-on-severity: critical
- name: Sign the images with GitHub OIDC token
- uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
if: github.event_name != 'merge_group'
with:
subject-name: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}
subject-digest: ${{ steps.build-and-push.outputs.digest }}
push-to-registry: true
- name: Verify attestation
if: github.event_name != 'merge_group'
# This step uses the GitHub OIDC identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
env:
DIGEST: ${{ steps.build-and-push.outputs.digest }}
GH_TOKEN: ${{ github.token }}
run: |
cosign sign --yes --recursive "${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@${DIGEST}"
gh attestation verify --repo ${{ github.repository }} oci://${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@${{ steps.build-and-push.outputs.digest }}
acceptance-test:
if: github.event_name == 'pull_request'
needs: build-push
Expand Down
19 changes: 19 additions & 0 deletions .github/workflows/package-published.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
---
Fixed Show fixed Hide fixed
name: Package Published

on:
registry_package:
types: [published]

permissions:
contents: read

jobs:
attach-provenance-to-release:
runs-on: ubuntu-latest
steps:
- run: |
set -Eeuo pipefail
echo "${{ toJson(github.event.registry_package) }}" | jq .
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like it's only echoing the JSON. I suppose you intended to do more with the package information?

env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Fixed Show fixed Hide fixed
2 changes: 0 additions & 2 deletions .github/workflows/pr-image-cleanup.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,11 @@ jobs:
permissions:
packages: write
steps:
- uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- run: cosign clean -f --type=signature "${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}:pr-${{ github.event.pull_request.number }}"
- uses: bots-house/ghcr-delete-image-action@3827559c68cb4dcdf54d813ea9853be6d468d3a4 # v1.1.0
with:
owner: ${{ github.repository_owner }}
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/social-interaction.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@ name: Social Interaction

on:
issues:
types: [opened]
pull_request:
types: [opened]

permissions:
contents: read
Expand Down
27 changes: 25 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,8 @@ Both containers can be used in Visual Studio Code or GitHub Codespaces without a

### Verify image signature

<details><summary>Prior to version 5.6.0</summary>

The container images are signed with [SigStore](https://www.sigstore.dev/) [Cosign](https://docs.sigstore.dev/cosign/signing/overview/) using a keyless signing method.

The signature can be [verified](https://docs.sigstore.dev/cosign/verifying/verify/) with the following command (using Docker), verifying that the image is actually signed by the GitHub CI system:
Expand All @@ -69,12 +71,33 @@ docker run --rm gcr.io/projectsigstore/cosign verify ghcr.io/philips-software/am
docker run --rm gcr.io/projectsigstore/cosign verify ghcr.io/philips-software/amp-devcontainer-rust --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp https://github.com/philips-software/amp-devcontainer
```

</details>

The container images are signed using the [attest-build-provenance](https://github.com/actions/attest-build-provenance) action.

The attestations can be checked with the following command, verifying that the image is actually built by the GitHub CI system:

> amp-devcontainer-cpp

```sh
gh attestation verify --repo philips-software/amp-devcontainer oci://ghcr.io/philips-software/amp-devcontainer-cpp
```

> amp-devcontainer-rust

```sh
gh attestation verify --repo philips-software/amp-devcontainer oci://ghcr.io/philips-software/amp-devcontainer-rust
```

### Local development

The resulting containers can be used in a `.devcontainer.json` file or in a `.devcontainer` folder.

> [!NOTE]
> While the following examples use the `latest` tag, it is recommended to pin to a specific version. Or better yet, a specific SHA.
> See the [releases](https://github.com/philips-software/amp-devcontainer/releases) for the SHA corresponding to a specific release.

### amp-devcontainer-cpp
#### amp-devcontainer-cpp

> .devcontainer/devcontainer.json or .devcontainer.json

Expand All @@ -84,7 +107,7 @@ The resulting containers can be used in a `.devcontainer.json` file or in a `.de
}
```

### amp-devcontainer-rust
#### amp-devcontainer-rust

> .devcontainer/devcontainer.json or .devcontainer.json

Expand Down
Loading