From 7fa3636efe59630eb0c65eb34e2878e928c99ba1 Mon Sep 17 00:00:00 2001 From: "K.B.Dharun Krishna" <kbdharunkrishna@gmail.com> Date: Tue, 2 Jul 2024 19:00:12 +0530 Subject: [PATCH] feat: attest image, verify base image Signed-off-by: K.B.Dharun Krishna <kbdharunkrishna@gmail.com> --- .github/workflows/vib-build.yml | 33 +++++++++++++++++++++++++++------ 1 file changed, 27 insertions(+), 6 deletions(-) diff --git a/.github/workflows/vib-build.yml b/.github/workflows/vib-build.yml index 6c11caf..cdc014a 100644 --- a/.github/workflows/vib-build.yml +++ b/.github/workflows/vib-build.yml @@ -12,13 +12,25 @@ on: env: BUILDX_NO_DEFAULT_ATTESTATIONS: 1 -permissions: - contents: write # Allow actions to create release - packages: write # Allow pushing images to GHCR - jobs: + verify-image: + runs-on: ubuntu-latest + + steps: + - name: Verify Base Image Integrity + run: + gh attestation verify oci://ghcr.io/vanilla-os/core:main --owner Vanilla-OS + env: + GH_TOKEN: ${{ github.token }} + build: runs-on: ubuntu-latest + needs: verify-image + permissions: + contents: write # Allow actions to create release + packages: write # Allow pushing images to GHCR + attestations: write # To create and write attestations + id-token: write # Additional permissions for the persistence of the attestations steps: - uses: actions/checkout@v4 @@ -37,14 +49,14 @@ jobs: run: | REPO_OWNER_LOWERCASE="$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" echo "REPO_OWNER_LOWERCASE=$REPO_OWNER_LOWERCASE" >> "$GITHUB_ENV" - echo "IMAGE_NAME=ghcr.io/$REPO_OWNER_LOWERCASE/desktop" >> "$GITHUB_ENV" + echo "IMAGE_URL=ghcr.io/$REPO_OWNER_LOWERCASE/desktop" >> "$GITHUB_ENV" - name: Docker meta id: docker_meta uses: docker/metadata-action@v5 with: images: | - ${{ env. IMAGE_NAME }} + ${{ env. IMAGE_URL }} tags: | type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} @@ -76,3 +88,12 @@ jobs: cache-to: type=gha,mode=max platforms: linux/amd64 provenance: false + + - name: Attest pushed image + uses: actions/attest-build-provenance@v1 + id: attest + if: ${{ github.event_name != 'pull_request' }} + with: + subject-name: ${{ env.IMAGE_URL }} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: false