diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index fe5452d1f..2a5e6fdc5 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -30,6 +30,7 @@ env: TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }} AUTO_PUSH_IMAGES: ${{ ! contains(fromJSON('["workflow_dispatch"]'), github.event_name) && vars.AUTO_PUSH_IMAGES }} + DOCKER_REGISTRY: ${{ vars.DOCKER_REGISTRY }} DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }} LATEST_BRANCH: ${{ github.event.repository.default_branch }} TRUNK_GIT_BRANCH: "refs/heads/trunk" @@ -170,7 +171,8 @@ jobs: permissions: contents: read id-token: write - packages: write + packages: ${{ env.AUTO_PUSH_IMAGES != 'true' && 'write' || 'none' }} + attestations: write steps: - name: Block egress traffic uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 @@ -268,16 +270,6 @@ jobs: ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} fetch-depth: 1 - - name: Install cosign - if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 - with: - cosign-release: 'v2.2.3' - - - name: Check cosign version - if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} - run: cosign version - - name: Set up QEMU uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 with: @@ -310,7 +302,7 @@ jobs: with: images: | ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} - ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} + ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- @@ -387,25 +379,14 @@ jobs: cache-from: ${{ steps.cache_data.outputs.cache_from }} cache-to: ${{ steps.cache_data.outputs.cache_to }} - - name: Sign the images with GitHub OIDC Token + - name: Attest images if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} - env: - DIGEST: ${{ steps.docker_build.outputs.digest }} - TAGS: ${{ steps.meta.outputs.tags }} - run: | - images="" - for tag in ${TAGS}; do - images+="${tag}@${DIGEST} " - done - - echo "::group::Images to sign" - echo "$images" - echo "::endgroup::" - - echo "::group::Signing" - echo "cosign sign --yes $images" - cosign sign --yes ${images} - echo "::endgroup::" + id: attest + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }} + subject-digest: ${{ steps.docker_build.outputs.digest }} + push-to-registry: true - name: Image metadata env: @@ -440,7 +421,8 @@ jobs: permissions: contents: read id-token: write - packages: write + packages: ${{ env.AUTO_PUSH_IMAGES != 'true' && 'write' || 'none' }} + attestations: write steps: - name: Block egress traffic uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 @@ -520,7 +502,7 @@ jobs: with: images: | ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} - ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} + ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- @@ -570,7 +552,7 @@ jobs: cosign verify \ --certificate-oidc-issuer-regexp "$OIDC_ISSUER" \ --certificate-identity-regexp "$IDENTITY_REGEX" \ - "$BASE_IMAGE" + "$BASE_IMAGE" | jq echo "::endgroup::" - name: Prepare cache data @@ -639,25 +621,14 @@ jobs: org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} - - name: Sign the images with GitHub OIDC Token + - name: Attest images if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} - env: - DIGEST: ${{ steps.docker_build.outputs.digest }} - TAGS: ${{ steps.meta.outputs.tags }} - run: | - images="" - for tag in ${TAGS}; do - images+="${tag}@${DIGEST} " - done - - echo "::group::Images to sign" - echo "$images" - echo "::endgroup::" - - echo "::group::Signing" - echo "cosign sign --yes $images" - cosign sign --yes ${images} - echo "::endgroup::" + id: attest + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }} + subject-digest: ${{ steps.docker_build.outputs.digest }} + push-to-registry: true - name: Image metadata env: @@ -693,7 +664,8 @@ jobs: permissions: contents: read id-token: write - packages: write + packages: ${{ env.AUTO_PUSH_IMAGES != 'true' && 'write' || 'none' }} + attestations: write steps: - name: Block egress traffic uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 @@ -894,7 +866,7 @@ jobs: with: images: | ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} - ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} + ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- @@ -946,7 +918,7 @@ jobs: cosign verify \ --certificate-oidc-issuer-regexp "${OIDC_ISSUER}" \ --certificate-identity-regexp "${IDENTITY_REGEX}" \ - "${BASE_IMAGE}" + "${BASE_IMAGE}" | jq echo "::endgroup::" - name: Prepare cache data @@ -993,25 +965,14 @@ jobs: org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} - - name: Sign the images with GitHub OIDC Token + - name: Attest images if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} - env: - DIGEST: ${{ steps.docker_build.outputs.digest }} - TAGS: ${{ steps.meta.outputs.tags }} - run: | - images="" - for tag in ${TAGS}; do - images+="${tag}@${DIGEST} " - done - - echo "::group::Images to sign" - echo "$images" - echo "::endgroup::" - - echo "::group::Signing" - echo "cosign sign --yes $images" - cosign sign --yes ${images} - echo "::endgroup::" + id: attest + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }} + subject-digest: ${{ steps.docker_build.outputs.digest }} + push-to-registry: true - name: Image metadata if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}