Merge pull request #4999 from konidev20/fix-gh-4983-slsa-provenance-for-ghcr-container-images

docker: sign container images pushed to GHCR with GitHub OIDC tokens

.github/workflows/docker.yml

@@ -20,6 +20,10 @@ jobs:
       contents: read
       packages: write
 
+    outputs:
+      image: ${{ steps.image.outputs.image }}
+      digest: ${{ steps.build-and-push.outputs.digest }}
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -37,6 +41,7 @@ jobs:
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
+            type=sha
             type=ref,event=branch
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
@@ -55,6 +60,7 @@ jobs:
         if: github.ref != 'refs/heads/master'
 
       - name: Build and push Docker image
+        id: build-and-push
         uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1
         with:
           push: true
@@ -64,3 +70,26 @@ jobs:
           pull: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+        
+      - name: Output image
+        id: image
+        run: |
+          # NOTE: Set the image as an output because the `env` context is not
+          # available to the inputs of a reusable workflow call.
+          image_name="${REGISTRY}/${IMAGE_NAME}"
+          echo "image=$image_name" >> "$GITHUB_OUTPUT"
+        
+  provenance:
+    needs: [build-and-push-image]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    if: github.repository == 'restic/restic'
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
+    with:
+      image: ${{ needs.build-and-push-image.outputs.image }}
+      digest: ${{ needs.build-and-push-image.outputs.digest }}
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}

changelog/unreleased/issue-4983

@@ -0,0 +1,8 @@
+Enhancement: add SLSA provenance to the GHCR Container images
+
+Restic's GitHub Container Registry (GHCR) image build workflow now includes
+SLSA provenance generation. This enhancement improves the security and 
+traceability of images built and pushed to GHCR. 
+
+https://github.com/restic/restic/issues/4983
+https://github.com/restic/restic/pull/4999

doc/developer_information.rst

@@ -113,6 +113,34 @@ The following steps are necessary to build the binaries:
         restic/builder \
         go run helpers/build-release-binaries/main.go --version 0.14.0 --verbose
 
+Verifying SLSA Provenance for Docker Images
+*******************************************
+
+Our Docker images are built with SLSA (Supply-chain Levels for Software Artifacts)
+provenance. 
+
+To verify this provenance:
+
+1. Install the `slsa-verifier` tool from https://github.com/slsa-framework/slsa-verifier
+
+2. Run the following command:
+
+   .. code-block:: console
+
+      $ slsa-verifier verify-image \
+        --source-uri github.com/restic/restic \
+        <image-name>@<digest>
+
+   Replace `<tag>` with the Git tag of the release you're verifying, `<image-name>`
+   with the full name of the Docker image (including the registry), and `<digest>`
+   with the SHA256 digest of the image.
+
+3. If the verification is successful, you'll see output indicating that the provenance 
+is valid.
+
+This verification ensures that the Docker image was built by our official GitHub
+Actions workflow and has not been tampered with since its creation.
+
 Verifying the Official Binaries
 *******************************