Merge pull request #4999 from konidev20/fix-gh-4983-slsa-provenance-for-ghcr-container-images

docker: sign container images pushed to GHCR with GitHub OIDC tokens
2025-01-12 22:38:33 +01:00 · 2025-01-12 22:38:33 +01:00 · 27189e03ee
parent 4e1eeeb721 8d45a4b283
commit 27189e03ee
3 changed files with 65 additions and 0 deletions
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@ -20,6 +20,10 @@ jobs:
      contents: read
      packages: write

+    outputs:
+      image: ${{ steps.image.outputs.image }}
+      digest: ${{ steps.build-and-push.outputs.digest }}
+
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
@ -37,6 +41,7 @@ jobs:
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
+            type=sha
            type=ref,event=branch
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
@ -55,6 +60,7 @@ jobs:
        if: github.ref != 'refs/heads/master'

      - name: Build and push Docker image
+        id: build-and-push
        uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1
        with:
          push: true
@ -64,3 +70,26 @@ jobs:
          pull: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
+        
+      - name: Output image
+        id: image
+        run: |
+          # NOTE: Set the image as an output because the `env` context is not
+          # available to the inputs of a reusable workflow call.
+          image_name="${REGISTRY}/${IMAGE_NAME}"
+          echo "image=$image_name" >> "$GITHUB_OUTPUT"
+        
+  provenance:
+    needs: [build-and-push-image]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    if: github.repository == 'restic/restic'
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
+    with:
+      image: ${{ needs.build-and-push-image.outputs.image }}
+      digest: ${{ needs.build-and-push-image.outputs.digest }}
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
--- a/changelog/unreleased/issue-4983
+++ b/changelog/unreleased/issue-4983
@ -0,0 +1,8 @@
+Enhancement: add SLSA provenance to the GHCR Container images
+
+Restic's GitHub Container Registry (GHCR) image build workflow now includes
+SLSA provenance generation. This enhancement improves the security and 
+traceability of images built and pushed to GHCR. 
+
+https://github.com/restic/restic/issues/4983
+https://github.com/restic/restic/pull/4999
--- a/doc/developer_information.rst
+++ b/doc/developer_information.rst
@ -113,6 +113,34 @@ The following steps are necessary to build the binaries:
        restic/builder \
        go run helpers/build-release-binaries/main.go --version 0.14.0 --verbose

+Verifying SLSA Provenance for Docker Images
+*******************************************
+
+Our Docker images are built with SLSA (Supply-chain Levels for Software Artifacts)
+provenance. 
+
+To verify this provenance:
+
+1. Install the `slsa-verifier` tool from https://github.com/slsa-framework/slsa-verifier
+
+2. Run the following command:
+
+   .. code-block:: console
+
+      $ slsa-verifier verify-image \
+        --source-uri github.com/restic/restic \
+        <image-name>@<digest>
+
+   Replace `<tag>` with the Git tag of the release you're verifying, `<image-name>`
+   with the full name of the Docker image (including the registry), and `<digest>`
+   with the SHA256 digest of the image.
+
+3. If the verification is successful, you'll see output indicating that the provenance 
+is valid.
+
+This verification ensures that the Docker image was built by our official GitHub
+Actions workflow and has not been tampered with since its creation.
+
 Verifying the Official Binaries
 *******************************