-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: use docker buildx to create attestation files. #387
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #387 +/- ##
=======================================
Coverage 72.39% 72.39%
=======================================
Files 11 11
Lines 1228 1228
=======================================
Hits 889 889
Misses 266 266
Partials 73 73
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
1d2c492
to
5db79e1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall LGTM, I left one minor comment.
I think we should also provide instructions about:
- How to download the SBOM and provenance files from our repository
- How to verify the SBOM and provenance files published on our repository
- How to verify the SBOM and provenance files attached to our GH release
These instructions could be part of our README.md
file, we've already this section talking about the SBOM.
3e9cf75
to
6855b15
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, but please don't forget to update the README as I requested inside of this comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, but we need to pass BUILDKIT_SBOM_SCAN_STAGE=true
on the Dockerfile.
For the readme (just in case), we could tell the users to use the following instead of crane:
$ docker buildx imagetools inspect <namespace>/<image>:<version> \
--format "{{ json .SBOM.SPDX }}"
$ docker buildx imagetools inspect <namespace>/<image>:<version> \
--format "{{ json .Provenance.SLSA }}"
5938a98
to
d7631aa
Compare
586c25f
to
dd280a2
Compare
@pjbgf @kubewarden/kubewarden-developers I've updated the PR to have a checksum file for the SBOM and provenance files and verify the signatures using full URL. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some minor suggestions for consideration.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One more minor suggestion
1394b6f
to
cee5491
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some small nits, otherwise LGTM.
28a9f65
to
a62fb99
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
I'm sorry, while fixing the conflicts, and pushing I managed to incorrectly close this PR. Opened #397 as a follow-up with the conflicts fixed. |
Description
Updates the Github workflow to use the Docker buildx to generate the SLSA attestation and SBOM files. Furthermore, the previous workflow used to generate the SBOM files has been updated to download the data from the container registry and upload them to the release page as it does before.
Fix #384