Skip to content

feat: Add attestation option to release-image #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jan 25, 2025
Merged

feat: Add attestation option to release-image #32

merged 2 commits into from
Jan 25, 2025

Conversation

ahpook
Copy link
Contributor

@ahpook ahpook commented Jan 25, 2025

This change adds an optional input create-attestion which will push a cryptographically strong build attestation to GitHub's sigstore instance, to enable consumers to verify the built container's contents matched the build.

For more on attestations see : https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds

@Copilot Copilot AI review requested due to automatic review settings January 25, 2025 00:04
@ahpook ahpook requested a review from a team as a code owner January 25, 2025 00:04
@github-actions github-actions bot added the repo label Jan 25, 2025
Copilot
Copilot AI reviewed Jan 25, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 1 out of 1 changed files in this pull request and generated no comments.

Tip: If you use Visual Studio Code, you can request a review from Copilot before you push from the "Source Control" tab. Learn more

@ahpook ahpook changed the title Add attestation option to release-image feat: Add attestation option to release-image Jan 25, 2025
@ahpook
feat: Add attestation option to release-image
cf4769f 
This change adds an option input `create-attestion` which will push a cryptographically strong build attestation to GitHub's sigstore instance, to enable consumers to verify the built container's contents matched the build.

For more on attestations see : https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
@ahpook ahpook force-pushed the ahpook/release-add-attestation branch from 431b4d6 to cf4769f Compare January 25, 2025 00:07
@jmeridth
Copy link
Member

This is awesome. Thank you @ahpook. One small change.

I'm gonna fix the inputs vs env vars in this workflow after yours merges.

@jmeridth
fix: use correct variables and add new attestation to test
4b72338 
Signed-off-by: jmeridth <jmeridth@gmail.com>
@jmeridth jmeridth merged commit 1a24929 into main Jan 25, 2025
9 checks passed
@jmeridth jmeridth deleted the ahpook/release-add-attestation branch January 25, 2025 05:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@jmeridth jmeridth jmeridth approved these changes

Assignees

@ahpook ahpook

Labels
feature repo
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ahpook @jmeridth