svrnty/docker-base-distro
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 13 Wiki Activity

Add SBOM and provenance attestations via cosign
Some checks failed
Weekly Rebuild (CVE Updates) / rebuild (apko/build.yaml, build) (push) Failing after 28s
Details
Weekly Rebuild (CVE Updates) / rebuild (apko/base.yaml, base) (push) Failing after 30s
Details
Weekly Rebuild (CVE Updates) / rebuild (apko/dotnet-runtime.yaml, dotnet-runtime) (push) Failing after 26s
Details
Weekly Rebuild (CVE Updates) / rebuild (apko/dotnet-sdk.yaml, dotnet-sdk) (push) Failing after 26s
Details
Check for Upstream Stable Updates / Check Wolfi package updates (push) Successful in 16s
Details
Check for Upstream Stable Updates / Check .NET stable releases (push) Successful in 2s
Details
Weekly Rebuild (CVE Updates) / rebuild (apko/flutter-sdk.yaml, flutter-sdk) (push) Failing after 27s
Details
Check for Upstream Stable Updates / Rebuild and push all variants (apko/base.yaml, base) (push) Failing after 22s
Details
Check for Upstream Stable Updates / Rebuild and push all variants (apko/build.yaml, build) (push) Failing after 22s
Details
Check for Upstream Stable Updates / Rebuild and push all variants (apko/dotnet-runtime.yaml, dotnet-runtime) (push) Failing after 22s
Details
Check for Upstream Stable Updates / Check Flutter stable releases (push) Successful in 2s
Details
Check for Upstream Stable Updates / Rebuild and push all variants (apko/dotnet-sdk.yaml, dotnet-sdk) (push) Failing after 24s
Details
Check for Upstream Stable Updates / Create release for new Flutter version (push) Has been skipped
Details
Check for Upstream Stable Updates / Rebuild and push all variants (apko/flutter-sdk.yaml, flutter-sdk) (push) Failing after 20s
Details

Browse Source 
Use cosign to attach SPDX SBOM (generated by apko) and SLSA
provenance attestations to all published images. Applied to
publish, rebuild, and update-check pipelines.

Also added push trigger on self-path for rebuild.yaml.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Mathias Beaulieu-Duncan 2026-02-02 10:12:47 -05:00
parent 0711e3142a
commit 2e07c31e99
3 changed files with 236 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
.gitea/workflows/publish.yaml
View File

@ -50,6 +50,14 @@ jobs:
tar xzf /tmp/apko.tar.gz --strip-components=1 -C /usr/local/bin
rm /tmp/apko.tar.gz
- name: Install cosign
run: |
COSIGN_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
COSIGN_VERSION=$(curl -fsSL "https://api.github.com/repos/sigstore/cosign/releases/latest" | jq -r '.tag_name')
curl -fsSL "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-${COSIGN_ARCH}" \
-o /usr/local/bin/cosign
chmod +x /usr/local/bin/cosign
- name: Login to Docker Registry
uses: docker/login-action@v3
with:
@ -57,9 +65,77 @@ jobs:
password: ${{ secrets.REGISTRY_PASSWORD }}
- name: Build and push image
id: publish
run: |
IMAGE_REF=${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.tag.outputs.suffix }}
mkdir -p /tmp/sbom
apko publish ${{ matrix.config }} \
${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.tag.outputs.suffix }}
--sbom-path /tmp/sbom \
--image-refs /tmp/image-refs.txt \
"${IMAGE_REF}"
echo "image_ref=${IMAGE_REF}" >> "$GITHUB_OUTPUT"
DIGEST=$(head -1 /tmp/image-refs.txt | sed 's/.*@//')
echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT"
- name: Attach SBOM attestation
env:
COSIGN_YES: "true"
run: |
IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}"
# Attach SPDX SBOM
SBOM_FILE=$(ls /tmp/sbom/*.spdx.json 2>/dev/null | head -1)
if [ -n "$SBOM_FILE" ]; then
cosign attach sbom --sbom "${SBOM_FILE}" "${IMAGE_DIGEST}"
echo "SBOM attached successfully"
else
echo "No SBOM file found, skipping"
fi
- name: Generate and attach provenance
env:
COSIGN_YES: "true"
run: |
IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}"
# Generate SLSA-style provenance
cat > /tmp/provenance.json << PROVEOF
{
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v0.2",
"subject": [
{
"name": "${{ steps.publish.outputs.image_ref }}",
"digest": {
"sha256": "$(echo '${{ steps.publish.outputs.digest }}' | sed 's/sha256://')"
}
}
],
"predicate": {
"buildType": "https://apko.dev/build/v1",
"builder": {
"id": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
},
"invocation": {
"configSource": {
"uri": "${{ github.server_url }}/${{ github.repository }}",
"digest": {
"sha1": "${{ github.sha }}"
},
"entryPoint": "${{ matrix.config }}"
}
},
"metadata": {
"buildInvocationID": "${{ github.run_id }}",
"completeness": {
"parameters": true,
"environment": true,
"materials": true
}
}
}
}
PROVEOF
cosign attest --predicate /tmp/provenance.json --type slsaprovenance "${IMAGE_DIGEST}"
echo "Provenance attestation attached successfully"
- name: Install Docker Scout
run: |
@ -68,5 +144,5 @@ jobs:
- name: Docker Scout CVE Scan
run: |
docker pull ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.tag.outputs.suffix }}
docker scout cves ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.tag.outputs.suffix }} --only-severity critical,high
docker pull ${{ steps.publish.outputs.image_ref }}
docker scout cves ${{ steps.publish.outputs.image_ref }} --only-severity critical,high

84
.gitea/workflows/rebuild.yaml
View File

@ -4,7 +4,9 @@ on:
schedule:
# Rebuild weekly to pick up Wolfi security patches
- cron: '0 6 * * 1'
workflow_dispatch:
push:
paths:
- '.gitea/workflows/rebuild.yaml'
permissions:
contents: read
@ -42,6 +44,14 @@ jobs:
tar xzf /tmp/apko.tar.gz --strip-components=1 -C /usr/local/bin
rm /tmp/apko.tar.gz
- name: Install cosign
run: |
COSIGN_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
COSIGN_VERSION=$(curl -fsSL "https://api.github.com/repos/sigstore/cosign/releases/latest" | jq -r '.tag_name')
curl -fsSL "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-${COSIGN_ARCH}" \
-o /usr/local/bin/cosign
chmod +x /usr/local/bin/cosign
- name: Login to Docker Registry
uses: docker/login-action@v3
with:
@ -49,9 +59,75 @@ jobs:
password: ${{ secrets.REGISTRY_PASSWORD }}
- name: Rebuild and push with latest Wolfi packages
id: publish
run: |
IMAGE_REF=${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest
mkdir -p /tmp/sbom
apko publish ${{ matrix.config }} \
${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest
--sbom-path /tmp/sbom \
--image-refs /tmp/image-refs.txt \
"${IMAGE_REF}"
echo "image_ref=${IMAGE_REF}" >> "$GITHUB_OUTPUT"
DIGEST=$(head -1 /tmp/image-refs.txt | sed 's/.*@//')
echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT"
- name: Attach SBOM attestation
env:
COSIGN_YES: "true"
run: |
IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}"
SBOM_FILE=$(ls /tmp/sbom/*.spdx.json 2>/dev/null | head -1)
if [ -n "$SBOM_FILE" ]; then
cosign attach sbom --sbom "${SBOM_FILE}" "${IMAGE_DIGEST}"
echo "SBOM attached successfully"
else
echo "No SBOM file found, skipping"
fi
- name: Generate and attach provenance
env:
COSIGN_YES: "true"
run: |
IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}"
cat > /tmp/provenance.json << PROVEOF
{
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v0.2",
"subject": [
{
"name": "${{ steps.publish.outputs.image_ref }}",
"digest": {
"sha256": "$(echo '${{ steps.publish.outputs.digest }}' | sed 's/sha256://')"
}
}
],
"predicate": {
"buildType": "https://apko.dev/build/v1",
"builder": {
"id": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
},
"invocation": {
"configSource": {
"uri": "${{ github.server_url }}/${{ github.repository }}",
"digest": {
"sha1": "${{ github.sha }}"
},
"entryPoint": "${{ matrix.config }}"
}
},
"metadata": {
"buildInvocationID": "${{ github.run_id }}",
"completeness": {
"parameters": true,
"environment": true,
"materials": true
}
}
}
}
PROVEOF
cosign attest --predicate /tmp/provenance.json --type slsaprovenance "${IMAGE_DIGEST}"
echo "Provenance attestation attached successfully"
- name: Install Docker Scout
run: |
@ -60,5 +136,5 @@ jobs:
- name: Docker Scout CVE Scan
run: |
docker pull ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest
docker scout cves ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest --only-severity critical,high
docker pull ${{ steps.publish.outputs.image_ref }}
docker scout cves ${{ steps.publish.outputs.image_ref }} --only-severity critical,high

80
.gitea/workflows/update-check.yaml
View File

@ -134,6 +134,14 @@ jobs:
tar xzf /tmp/apko.tar.gz --strip-components=1 -C /usr/local/bin
rm /tmp/apko.tar.gz
- name: Install cosign
run: |
COSIGN_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
COSIGN_VERSION=$(curl -fsSL "https://api.github.com/repos/sigstore/cosign/releases/latest" | jq -r '.tag_name')
curl -fsSL "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-${COSIGN_ARCH}" \
-o /usr/local/bin/cosign
chmod +x /usr/local/bin/cosign
- name: Login to Docker Registry
uses: docker/login-action@v3
with:
@ -141,9 +149,75 @@ jobs:
password: ${{ secrets.REGISTRY_PASSWORD }}
- name: Build and push image
id: publish
run: |
IMAGE_REF=${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest
mkdir -p /tmp/sbom
apko publish ${{ matrix.config }} \
${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest
--sbom-path /tmp/sbom \
--image-refs /tmp/image-refs.txt \
"${IMAGE_REF}"
echo "image_ref=${IMAGE_REF}" >> "$GITHUB_OUTPUT"
DIGEST=$(head -1 /tmp/image-refs.txt | sed 's/.*@//')
echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT"
- name: Attach SBOM attestation
env:
COSIGN_YES: "true"
run: |
IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}"
SBOM_FILE=$(ls /tmp/sbom/*.spdx.json 2>/dev/null | head -1)
if [ -n "$SBOM_FILE" ]; then
cosign attach sbom --sbom "${SBOM_FILE}" "${IMAGE_DIGEST}"
echo "SBOM attached successfully"
else
echo "No SBOM file found, skipping"
fi
- name: Generate and attach provenance
env:
COSIGN_YES: "true"
run: |
IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}"
cat > /tmp/provenance.json << PROVEOF
{
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v0.2",
"subject": [
{
"name": "${{ steps.publish.outputs.image_ref }}",
"digest": {
"sha256": "$(echo '${{ steps.publish.outputs.digest }}' | sed 's/sha256://')"
}
}
],
"predicate": {
"buildType": "https://apko.dev/build/v1",
"builder": {
"id": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
},
"invocation": {
"configSource": {
"uri": "${{ github.server_url }}/${{ github.repository }}",
"digest": {
"sha1": "${{ github.sha }}"
},
"entryPoint": "${{ matrix.config }}"
}
},
"metadata": {
"buildInvocationID": "${{ github.run_id }}",
"completeness": {
"parameters": true,
"environment": true,
"materials": true
}
}
}
}
PROVEOF
cosign attest --predicate /tmp/provenance.json --type slsaprovenance "${IMAGE_DIGEST}"
echo "Provenance attestation attached successfully"
- name: Install Docker Scout
run: |
@ -152,8 +226,8 @@ jobs:
- name: Docker Scout CVE Scan
run: |
docker pull ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest
docker scout cves ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest --only-severity critical,high
docker pull ${{ steps.publish.outputs.image_ref }}
docker scout cves ${{ steps.publish.outputs.image_ref }} --only-severity critical,high
notify-flutter:
name: Create release for new Flutter version