feat: use docker buildx to create attestation files. #387
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #387 +/- ##
=======================================
Coverage 72.39% 72.39%
=======================================
Files 11 11
Lines 1228 1228
=======================================
Hits 889 889
Misses 266 266
Partials 73 73
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
jvanz
force-pushed
the
main
branch
7 times, most recently
from
1d2c492
to
5db79e1
Compare
jvanz
changed the title
There was a problem hiding this comment.
Overall LGTM, I left one minor comment.
I think we should also provide instructions about:
- How to download the SBOM and provenance files from our repository
- How to verify the SBOM and provenance files published on our repository
- How to verify the SBOM and provenance files attached to our GH release
These instructions could be part of our README.md file, we've already this section talking about the SBOM.
jvanz
force-pushed
the
main
branch
5 times, most recently
from
3e9cf75
to
6855b15
Compare
There was a problem hiding this comment.
LGTM, but please don't forget to update the README as I requested inside of this comment
There was a problem hiding this comment.
Looks good, but we need to pass BUILDKIT_SBOM_SCAN_STAGE=true on the Dockerfile.
For the readme (just in case), we could tell the users to use the following instead of crane:
$ docker buildx imagetools inspect <namespace>/<image>:<version> \
--format "{{ json .SBOM.SPDX }}"
$ docker buildx imagetools inspect <namespace>/<image>:<version> \
--format "{{ json .Provenance.SLSA }}"
jvanz
force-pushed
the
main
branch
8 times, most recently
from
5938a98
to
d7631aa
Compare
jvanz
force-pushed
the
main
branch
5 times, most recently
from
586c25f
to
dd280a2
Compare
|
@pjbgf @kubewarden/kubewarden-developers I've updated the PR to have a checksum file for the SBOM and provenance files and verify the signatures using full URL. |
jvanz
force-pushed
the
main
branch
5 times, most recently
from
1394b6f
to
cee5491
Compare
jvanz
force-pushed
the
main
branch
2 times, most recently
from
28a9f65
to
a62fb99
Compare
|
I'm sorry, while fixing the conflicts, and pushing I managed to incorrectly close this PR. Opened #397 as a follow-up with the conflicts fixed. |
Description
Updates the Github workflow to use the Docker buildx to generate the SLSA attestation and SBOM files. Furthermore, the previous workflow used to generate the SBOM files has been updated to download the data from the container registry and upload them to the release page as it does before.
Fix #384