- Notifications
You must be signed in to change notification settings - Fork928
chore: enable SBOM attestations for docker images#16894
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Merged
+339 −3
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
- Enable SBOM and provenance attestations in Docker builds- Update build_docker_multiarch.sh to handle images with attestations- Fix issue with Docker manifest creation for images with multiple attestation manifests- Make Docker daemon config use containerd by default🤖 Generated with [Claude Code](https://claude.ai/code)Co-Authored-By: Claude <noreply@anthropic.com>Signed-off-by: Thomas Kosiewski <tk@coder.com>
Change-Id: I3f9b6e0447713eb16e50af9b1645d6cacf1af9faSigned-off-by: Thomas Kosiewski <tk@coder.com>
ThomasK33 approved these changesMar 12, 2025
…imagesThis adds GitHub Actions attestations to both CI and release workflows,providing SLSA provenance verification for all Docker images built in thepipeline. This complements our existing cosign SBOM attestations to improveour software supply chain security posture.- Add attestations:write permission to both workflows- Add SLSA provenance attestation for all Docker image tags- Include error handling to make attestation failures non-blocking- Add detailed comments explaining the attestation strategyChange-Id: I06761204cdcd31a0a648acfd057bcd45f55bdc9cSigned-off-by: Thomas Kosiewski <tk@coder.com>
The installation of Syft and Cosign in the dogfood Dockerfile was missing an &&operator between commands, causing the build to fail. This commit adds the missingoperator to ensure proper command chaining.Change-Id: I540258ed9638581d7ee704915a2f261d0aed7bebSigned-off-by: Thomas Kosiewski <tk@coder.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Looks great except the go version bump.
| @@ -9,7 +9,7 @@ RUN cargo install exa bat ripgrep typos-cli watchexec-cli && \ | |||
| FROM ubuntu:jammy@sha256:0e5e4a57c2499249aafc3b40fcd541e9a456aab7296681a3994d631587203f97 AS go | |||
| # Install Go manually, so that we can control the version | |||
| ARG GO_VERSION=1.22.8 | |||
| ARG GO_VERSION=1.24.1 | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Is this intentional?
4987de6 intomain 37 checks passed
Uh oh!
There was an error while loading.Please reload this page.
As a follow up lets add a docs section on how to verify the sbom. |
Sign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.
Labels
None yet
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading.Please reload this page.
cosignandsyftin dogfood imageSigned-off-by: Thomas Kosiewskitk@coder.com