MirrorSave
/
restic
mirror of https://github.com/restic/restic.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

docker: add SLSA provenance to .github workflow 

* the id-token of the GitHub Actions workflow will be used for image signing
* replace branch-based tagging with SHA-based tagging since, branch names are mutable, SLSA provenance requires immutable tagging
* use official SLSA framework Github Reusable workflow

docker: fix incorrect registry name in image output step

* use REGISTRY environment variable instead of IMAGE_REGISTRY

docker: revert change to remove branch tag
This commit is contained in:
Srigovind Nayak 2024-09-15 22:44:00 +05:30 committed by Srigovind Nayak
parent d7d9af4c9f
commit 144221b430
No known key found for this signature in database
GPG Key ID: 09006810B7263D69
2 changed files with 39 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
.github/workflows/docker.yml vendored
View File

@ -19,6 +19,11 @@ jobs:
permissions: permissions:
contents: read contents: read
packages: write packages: write
id-token: write # needed for signing the images with GitHub OIDC Token
outputs:
image: ${{ steps.image.outputs.image }}
digest: ${{ steps.build-and-push.outputs.digest }}
steps: steps:
- name: Checkout repository - name: Checkout repository
@ -37,7 +42,8 @@ jobs:
with: with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: | tags: |
type=ref,event=branch type=sha
type=ref, event=branch
type=semver,pattern={{version}} type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}}.{{minor}}
@ -55,6 +61,7 @@ jobs:
if: github.ref != 'refs/heads/master' if: github.ref != 'refs/heads/master'
- name: Build and push Docker image - name: Build and push Docker image
id: build-and-push
uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1
with: with:
push: true push: true
@ -64,3 +71,26 @@ jobs:
pull: true pull: true
tags: ${{ steps.meta.outputs.tags }} tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }} labels: ${{ steps.meta.outputs.labels }}
- name: Output image
id: image
run: |
# NOTE: Set the image as an output because the `env` context is not
# available to the inputs of a reusable workflow call.
image_name="${REGISTRY}/${IMAGE_NAME}"
echo "image=$image_name" >> "$GITHUB_OUTPUT"
provenance:
needs: [build-and-push-image]
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing.
packages: write # for uploading attestations.
if: github.repository == 'restic/restic'
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
with:
image: ${{ needs.build-and-push-image.outputs.image }}
digest: ${{ needs.build-and-push-image.outputs.digest }}
registry-username: ${{ github.actor }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}

8
changelog/unreleased/issue-4983 Normal file
View File

@ -0,0 +1,8 @@
Enhancement: add SLSA provenance to the Docker images
Restic's Docker image build workflow now includes SLSA provenance generation.
This enhancement improves the security and traceability of the Docker images'
build process.
https://github.com/restic/restic/issues/4983
https://github.com/restic/restic/pull/4999