From 86095fc205e05dc8f0b091e8edb9092d4a8aeada Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 24 Feb 2025 15:35:21 -0500 Subject: [PATCH 1/3] publish container image attestations --- .github/workflows/publish-docker-images.yml | 25 ++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/.github/workflows/publish-docker-images.yml b/.github/workflows/publish-docker-images.yml index 4faf43c16..5a71f6527 100644 --- a/.github/workflows/publish-docker-images.yml +++ b/.github/workflows/publish-docker-images.yml @@ -11,13 +11,19 @@ on: jobs: publish-docker-images: runs-on: ubuntu-24.04 + permissions: + contents: write # need write to draft the release + id-token: write # need write to get OIDC token for generating attestations + attestations: write # need write to create attestations env: + REGISTRY: docker.io RELEASE_REF: ${{ inputs.zrok-version }} steps: # compose the semver string without leading "refs/tags" or "v" so we can predict the # release artifact filename - name: Set zrok Version Semver from Tag Ref id: semver + shell: bash run: | echo "zrok_semver=${RELEASE_REF#v}" | tee -a $GITHUB_OUTPUT @@ -37,6 +43,7 @@ jobs: path: dist/arm64/linux - name: Unpack the Release Artifacts + shell: bash run: | for TGZ in dist/{amd,arm}64/linux; do tar -xvzf ${TGZ}/*.tar.gz -C ${TGZ} @@ -54,6 +61,7 @@ jobs: - name: Login to Docker Hub uses: docker/login-action@v3 with: + registry: ${{ env.REGISTRY}} username: ${{ vars.DOCKER_HUB_API_USER || secrets.DOCKER_HUB_API_USER }} password: ${{ secrets.DOCKER_HUB_API_TOKEN }} @@ -62,14 +70,14 @@ jobs: ZROK_CONTAINER_IMAGE_REPO: ${{ vars.ZROK_CONTAINER_IMAGE_REPO || 'openziti/zrok' }} ZROK_CONTAINER_IMAGE_TAG: ${{ steps.semver.outputs.zrok_semver }} id: tagprep_cli + shell: bash run: | DOCKER_TAGS="${ZROK_CONTAINER_IMAGE_REPO}:${ZROK_CONTAINER_IMAGE_TAG}" echo "DOCKER_TAGS=${DOCKER_TAGS}" | tee -a $GITHUB_OUTPUT - # this is the CLI image with the Linux binary for each - # arch that was downloaded in ./dist/ - name: Build & Push Multi-Platform CLI Container Image to Hub - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v6 + id: push with: builder: ${{ steps.buildx.outputs.name }} context: ${{ github.workspace }}/ @@ -79,4 +87,15 @@ jobs: build-args: | DOCKER_BUILD_DIR=./docker/images/zrok ARTIFACTS_DIR=./dist + provenance: mode=max + sbom: true push: true + + - name: Publish Attestations to GitHub + uses: actions/attest-build-provenance@v1 + env: + IMAGE_REPO_TAG: ${{ vars.ZROK_CONTAINER_IMAGE_REPO || 'openziti/zrok' }}:${{ steps.semver.outputs.zrok_semver }} + with: + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_REPO_TAG}} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true From 66a88151ce3205dd669a3195c2e1ef57952ba2fe Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 24 Feb 2025 16:04:27 -0500 Subject: [PATCH 2/3] announce container image attestations --- .github/workflows/publish-docker-images.yml | 4 ++-- CHANGELOG.md | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish-docker-images.yml b/.github/workflows/publish-docker-images.yml index 5a71f6527..d1006c16c 100644 --- a/.github/workflows/publish-docker-images.yml +++ b/.github/workflows/publish-docker-images.yml @@ -94,8 +94,8 @@ jobs: - name: Publish Attestations to GitHub uses: actions/attest-build-provenance@v1 env: - IMAGE_REPO_TAG: ${{ vars.ZROK_CONTAINER_IMAGE_REPO || 'openziti/zrok' }}:${{ steps.semver.outputs.zrok_semver }} + IMAGE_REPO: ${{ vars.ZROK_CONTAINER_IMAGE_REPO || 'openziti/zrok' }} with: - subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_REPO_TAG}} + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_REPO }} subject-digest: ${{ steps.push.outputs.digest }} push-to-registry: true diff --git a/CHANGELOG.md b/CHANGELOG.md index f8c2d45b5..b7fe3250c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,8 @@ CHANGE: Pre-releases are uploaded to the pre-release Linux package repo and Dock CHANGE: Linux release binaries are now built on the ziti-builder container image based on Ubuntu Focal 20.04 to preserve backward compatibility as the ubuntu-20.04 GitHub runner is end of life. +CHANGE: Container images now include SLSA and SBOM attestations, and these are also published to the Docker Hub registry (https://github.com/openziti/zrok/issues/890). + CHANGE: Release binary and text artifacts are now accompanied by provenance attestations (https://github.com/openziti/zrok/issues/889). ## v0.4.48 From c7e85eb911c54ec3b766903d5e407a114f940ea9 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 24 Feb 2025 16:07:39 -0500 Subject: [PATCH 3/3] minimize workflow privs --- .github/workflows/publish-docker-images.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/publish-docker-images.yml b/.github/workflows/publish-docker-images.yml index d1006c16c..8f8f0b5bb 100644 --- a/.github/workflows/publish-docker-images.yml +++ b/.github/workflows/publish-docker-images.yml @@ -12,8 +12,7 @@ jobs: publish-docker-images: runs-on: ubuntu-24.04 permissions: - contents: write # need write to draft the release - id-token: write # need write to get OIDC token for generating attestations + id-token: write # need write to get OIDC token for generating attestations attestations: write # need write to create attestations env: REGISTRY: docker.io