Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

chore: enable SBOM attestations for docker images#16894

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
matifali merged 5 commits intomainfromatif/sbom
Mar 13, 2025
Merged

Conversation

matifali
Copy link
Member

@matifalimatifali commentedMar 12, 2025
edited
Loading

  • Enable SBOM and provenance attestations in Docker builds
  • Installscosign andsyft in dogfood image
  • Addsgithub attestations

Signed-off-by: Thomas Kosiewskitk@coder.com

matifaliand others added2 commitsMarch 12, 2025 14:16
- Enable SBOM and provenance attestations in Docker builds- Update build_docker_multiarch.sh to handle images with attestations- Fix issue with Docker manifest creation for images with multiple attestation manifests- Make Docker daemon config use containerd by default🤖 Generated with [Claude Code](https://claude.ai/code)Co-Authored-By: Claude <noreply@anthropic.com>Signed-off-by: Thomas Kosiewski <tk@coder.com>
Change-Id: I3f9b6e0447713eb16e50af9b1645d6cacf1af9faSigned-off-by: Thomas Kosiewski <tk@coder.com>
matifaliand others added2 commitsMarch 12, 2025 22:12
…imagesThis adds GitHub Actions attestations to both CI and release workflows,providing SLSA provenance verification for all Docker images built in thepipeline. This complements our existing cosign SBOM attestations to improveour software supply chain security posture.- Add attestations:write permission to both workflows- Add SLSA provenance attestation for all Docker image tags- Include error handling to make attestation failures non-blocking- Add detailed comments explaining the attestation strategyChange-Id: I06761204cdcd31a0a648acfd057bcd45f55bdc9cSigned-off-by: Thomas Kosiewski <tk@coder.com>
The installation of Syft and Cosign in the dogfood Dockerfile was missing an &&operator between commands, causing the build to fail. This commit adds the missingoperator to ensure proper command chaining.Change-Id: I540258ed9638581d7ee704915a2f261d0aed7bebSigned-off-by: Thomas Kosiewski <tk@coder.com>
Copy link
MemberAuthor

@matifalimatifali left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Looks great except the go version bump.

@@ -9,7 +9,7 @@ RUN cargo install exa bat ripgrep typos-cli watchexec-cli && \
FROM ubuntu:jammy@sha256:0e5e4a57c2499249aafc3b40fcd541e9a456aab7296681a3994d631587203f97 AS go

# Install Go manually, so that we can control the version
ARG GO_VERSION=1.22.8
ARG GO_VERSION=1.24.1
Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Is this intentional?

@matifalimatifali merged commit4987de6 intomainMar 13, 2025
37 checks passed
@matifalimatifali deleted the atif/sbom branchMarch 13, 2025 16:45
@github-actionsgithub-actionsbot locked and limited conversation to collaboratorsMar 13, 2025
@matifali
Copy link
MemberAuthor

As a follow up lets add a docs section on how to verify the sbom.

Sign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.
Reviewers

@ThomasK33ThomasK33ThomasK33 approved these changes

Assignees

@matifalimatifali

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

2 participants
@matifali@ThomasK33
[8]ページ先頭
©2009-2025 Movatter.jp