docker: add SLSA provenance to .github workflow

* the id-token of the GitHub Actions workflow will be used for image signing * replace branch-based tagging with SHA-based tagging since, branch names are mutable, SLSA provenance requires immutable tagging * use official SLSA framework Github Reusable workflow docker: fix incorrect registry name in image output step * use REGISTRY environment variable instead of IMAGE_REGISTRY docker: revert change to remove branch tag
2024-09-15 22:44:00 +05:30 · 2024-09-15 22:44:00 +05:30 · 144221b430
parent d7d9af4c9f
commit 144221b430
2 changed files with 39 additions and 1 deletions
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@ -19,6 +19,11 @@ jobs:
    permissions:
      contents: read
      packages: write
+      id-token: write # needed for signing the images with GitHub OIDC Token
+
+    outputs:
+      image: ${{ steps.image.outputs.image }}
+      digest: ${{ steps.build-and-push.outputs.digest }}

    steps:
      - name: Checkout repository
@ -37,7 +42,8 @@ jobs:
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
-            type=ref,event=branch
+            type=sha
+            type=ref, event=branch
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}

@ -55,6 +61,7 @@ jobs:
        if: github.ref != 'refs/heads/master'

      - name: Build and push Docker image
+        id: build-and-push
        uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1
        with:
          push: true
@ -64,3 +71,26 @@ jobs:
          pull: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
+        
+      - name: Output image
+        id: image
+        run: |
+          # NOTE: Set the image as an output because the `env` context is not
+          # available to the inputs of a reusable workflow call.
+          image_name="${REGISTRY}/${IMAGE_NAME}"
+          echo "image=$image_name" >> "$GITHUB_OUTPUT"
+        
+  provenance:
+    needs: [build-and-push-image]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    if: github.repository == 'restic/restic'
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
+    with:
+      image: ${{ needs.build-and-push-image.outputs.image }}
+      digest: ${{ needs.build-and-push-image.outputs.digest }}
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
--- a/changelog/unreleased/issue-4983
+++ b/changelog/unreleased/issue-4983
@ -0,0 +1,8 @@
+Enhancement: add SLSA provenance to the Docker images
+
+Restic's Docker image build workflow now includes SLSA provenance generation. 
+This enhancement improves the security and traceability of the Docker images'
+build process.
+
+https://github.com/restic/restic/issues/4983
+https://github.com/restic/restic/pull/4999