Skip to content

Add a generic container workflow#471

Merged
ianlewis merged 33 commits intoslsa-framework:mainfrom
ianlewis:409-feature-add-generic-container-workflow
Jul 14, 2022
Merged

Add a generic container workflow#471
ianlewis merged 33 commits intoslsa-framework:mainfrom
ianlewis:409-feature-add-generic-container-workflow

Conversation

@ianlewis
Copy link
Member

@ianlewis ianlewis commented Jul 1, 2022
edited
Loading

Updates #409

Adds a "generic" container workflow. Users build the container in the user workflow and call the reusable container workflow which generates provenance using cosign attest and uploads it to the container registry.

cosign attest uploads additional metadata to the registry which is used during the verification process by cosign verify-attestation. The generic workflow cannot support uploading this additional metadata because our generic workflow is not container aware and users cannot upload the attestation produced by the workflow with cosign attach attestation because it does not upload it.

This PR adds a new workflow that is container aware. Users build and push their image to a registry. This workflow will use the generic generator to produce a SLSA predicate and then run the cosign attest command to sign and upload the provenance.

Support for slsa-verifier is being implemented in slsa-framework/slsa-verifier#92

Depends on:

ianlewis added 16 commits July 1, 2022 03:33
@ianlewis
Add a generic container workflow
a5df285
@ianlewis
fix input
212feb7
@ianlewis
Merge branch 'main' into 409-feature-add-generic-container-workflow
7c9bd64
@ianlewis
update hashes
4821dc2
@ianlewis
Avoid OIDC client creation errors on PRs
e6a8759
@ianlewis
Merge branch 'fix-detect-workflow-pr' into 409-feature-add-generic-co…
036d351 
…ntainer-workflow
@ianlewis
Add BUILDER_DIR to generic workflow
1fba820
@ianlewis
Merge branch 'fix-builder-dir' into 409-feature-add-generic-container…
9f34ac8 
…-workflow
@ianlewis
Add BUILDER_DIR
a41b963
@ianlewis
Fix args to builder
894ddf8
@ianlewis
Merge branch 'main' into 409-feature-add-generic-container-workflow
b73ab0d
@ianlewis
Merge branch 'main' into 409-feature-add-generic-container-workflow
2185bbe
@ianlewis
Merge remote-tracking branch 'origin/409-feature-add-generic-containe…
2652586 
…r-workflow' into 409-feature-add-generic-container-workflow
@ianlewis
Sign the image as well
f4ce48f
@ianlewis
don't sign for now
99f70ed
@ianlewis
Updates to inputs and domain parsing
d37c7e2
@ianlewis ianlewis mentioned this pull request Jul 5, 2022
Closed
7 tasks
ianlewis
ianlewis commented Jul 5, 2022
View reviewed changes
@ianlewis ianlewis marked this pull request as ready for review July 6, 2022 01:47
joshuagl
joshuagl approved these changes Jul 6, 2022
View reviewed changes
Copy link
Member

@joshuagl joshuagl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great, thanks

laurentsimon
laurentsimon reviewed Jul 7, 2022
View reviewed changes
@ianlewis ianlewis merged commit aacb56f into slsa-framework:main Jul 14, 2022
@ianlewis ianlewis deleted the 409-feature-add-generic-container-workflow branch July 27, 2022 01:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@laurentsimon laurentsimon laurentsimon left review comments

@joshuagl joshuagl joshuagl approved these changes

@asraa asraa Awaiting requested review from asraa

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ianlewis @joshuagl @laurentsimon