svrnty/docker-base-distro
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 13 Wiki Activity

Replace cosign with docker buildx for SBOM and provenance attestations
Some checks failed
Check for Upstream Stable Updates / Rebuild and push all variants (apko/dotnet-sdk.yaml, dotnet-sdk) (push) Blocked by required conditions
Details
Check for Upstream Stable Updates / Rebuild and push all variants (apko/flutter-sdk.yaml, flutter-sdk) (push) Blocked by required conditions
Details
Check for Upstream Stable Updates / Create release for new Flutter version (push) Blocked by required conditions
Details
Build and Push Base Distro Images / build-and-push (apko/base.yaml, base) (push) Successful in 38s
Details
Build and Push Base Distro Images / build-and-push (apko/build.yaml, build) (push) Successful in 57s
Details
Build and Push Base Distro Images / build-and-push (apko/dotnet-runtime.yaml, dotnet-runtime) (push) Successful in 50s
Details
Build and Push Base Distro Images / build-and-push (apko/dotnet-sdk.yaml, dotnet-sdk) (push) Successful in 1m10s
Details
Build and Push Base Distro Images / build-and-push (apko/flutter-sdk.yaml, flutter-sdk) (push) Successful in 40s
Details
Weekly Rebuild (CVE Updates) / rebuild (apko/base.yaml, base) (push) Successful in 41s
Details
Weekly Rebuild (CVE Updates) / rebuild (apko/build.yaml, build) (push) Successful in 39s
Details
Weekly Rebuild (CVE Updates) / rebuild (apko/dotnet-runtime.yaml, dotnet-runtime) (push) Successful in 37s
Details
Weekly Rebuild (CVE Updates) / rebuild (apko/dotnet-sdk.yaml, dotnet-sdk) (push) Successful in 37s
Details
Check for Upstream Stable Updates / Check Wolfi package updates (push) Successful in 19s
Details
Check for Upstream Stable Updates / Check .NET stable releases (push) Successful in 1s
Details
Check for Upstream Stable Updates / Check Flutter stable releases (push) Successful in 5s
Details
Weekly Rebuild (CVE Updates) / rebuild (apko/flutter-sdk.yaml, flutter-sdk) (push) Successful in 46s
Details
Check for Upstream Stable Updates / Rebuild and push all variants (apko/dotnet-runtime.yaml, dotnet-runtime) (push) Has been cancelled
Details
Check for Upstream Stable Updates / Rebuild and push all variants (apko/build.yaml, build) (push) Has been cancelled
Details
Check for Upstream Stable Updates / Rebuild and push all variants (apko/base.yaml, base) (push) Successful in 34s
Details

Browse Source 
Cosign keyless mode requires OIDC browser auth which is not viable in CI.
Switch all three pipelines to use apko build + docker buildx with
--sbom=true and --provenance=mode=max for automatic attestation.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Mathias Beaulieu-Duncan 2026-02-02 10:29:27 -05:00
parent 510bfa01b9
commit 7c2d558a35
3 changed files with 63 additions and 192 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
.gitea/workflows/publish.yaml
View File

@ -52,13 +52,8 @@ jobs:
tar xzf /tmp/apko.tar.gz --strip-components=1 -C /usr/local/bin tar xzf /tmp/apko.tar.gz --strip-components=1 -C /usr/local/bin
rm /tmp/apko.tar.gz rm /tmp/apko.tar.gz
- name: Install cosign - name: Set up Docker Buildx
run: | uses: docker/setup-buildx-action@v3
COSIGN_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
COSIGN_VERSION=$(curl -fsSL "https://api.github.com/repos/sigstore/cosign/releases/latest" | jq -r '.tag_name')
curl -fsSL "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-${COSIGN_ARCH}" \
-o /usr/local/bin/cosign
chmod +x /usr/local/bin/cosign
- name: Login to Docker Registry - name: Login to Docker Registry
uses: docker/login-action@v3 uses: docker/login-action@v3
@ -95,7 +90,6 @@ jobs:
echo "upstream=${UPSTREAM}" >> "$GITHUB_OUTPUT" echo "upstream=${UPSTREAM}" >> "$GITHUB_OUTPUT"
echo "Upstream version for ${VARIANT}: ${UPSTREAM}" echo "Upstream version for ${VARIANT}: ${UPSTREAM}"
# Query DockerHub for existing tags to determine build increment
REPO_NAME="${{ env.IMAGE_NAME }}" REPO_NAME="${{ env.IMAGE_NAME }}"
REGISTRY_URL="${{ secrets.REGISTRY_URL }}" REGISTRY_URL="${{ secrets.REGISTRY_URL }}"
NAMESPACE=$(echo "$REGISTRY_URL" | sed 's|.*://||; s|.*\.io/||; s|/$||') NAMESPACE=$(echo "$REGISTRY_URL" | sed 's|.*://||; s|.*\.io/||; s|/$||')
@ -116,60 +110,25 @@ jobs:
echo "version_tag=${VERSION_TAG}" >> "$GITHUB_OUTPUT" echo "version_tag=${VERSION_TAG}" >> "$GITHUB_OUTPUT"
echo "Next version tag: ${VERSION_TAG}" echo "Next version tag: ${VERSION_TAG}"
- name: Build and push image - name: Build apko image tarball
id: publish
run: | run: |
IMAGE_LATEST=${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.tag.outputs.suffix }} apko build ${{ matrix.config }} \
IMAGE_VERSIONED=${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version_tag }} ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.tag.outputs.suffix }} \
mkdir -p /tmp/sbom /tmp/image.tar
apko publish ${{ matrix.config }} \ echo 'FROM scratch' > /tmp/Dockerfile
--sbom-path /tmp/sbom \ echo 'ADD image.tar /' >> /tmp/Dockerfile
--image-refs /tmp/image-refs.txt \
"${IMAGE_LATEST}" \
"${IMAGE_VERSIONED}"
echo "image_ref=${IMAGE_LATEST}" >> "$GITHUB_OUTPUT"
echo "image_versioned=${IMAGE_VERSIONED}" >> "$GITHUB_OUTPUT"
DIGEST=$(head -1 /tmp/image-refs.txt | sed 's/.*@//')
echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT"
- name: Attach SBOM attestation - name: Build and push with buildx (SBOM + provenance)
env: uses: docker/build-push-action@v5
COSIGN_YES: "true" with:
run: | context: /tmp
IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}" file: /tmp/Dockerfile
SBOM_FILE=$(ls /tmp/sbom/*.spdx.json 2>/dev/null | head -1) push: true
if [ -n "$SBOM_FILE" ]; then sbom: true
cosign attach sbom --sbom "${SBOM_FILE}" "${IMAGE_DIGEST}" provenance: mode=max
echo "SBOM attached successfully" tags: |
else ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.tag.outputs.suffix }}
echo "No SBOM file found, skipping" ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version_tag }}
fi
- name: Generate and attach provenance
env:
COSIGN_YES: "true"
run: |
IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}"
jq -n \
--arg builder "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
--arg buildType "https://apko.dev/build/v1" \
--arg uri "${{ github.server_url }}/${{ github.repository }}" \
--arg sha1 "${{ github.sha }}" \
--arg entry "${{ matrix.config }}" \
--arg runId "${{ github.run_id }}" \
'{
"builder": {"id": $builder},
"buildType": $buildType,
"invocation": {
"configSource": {"uri": $uri, "digest": {"sha1": $sha1}, "entryPoint": $entry}
},
"metadata": {
"buildInvocationID": $runId,
"completeness": {"parameters": true, "environment": true, "materials": true}
}
}' > /tmp/provenance.json
cosign attest --predicate /tmp/provenance.json --type slsaprovenance "${IMAGE_DIGEST}"
echo "Provenance attestation attached successfully"
- name: Install Docker Scout - name: Install Docker Scout
run: | run: |
@ -178,5 +137,5 @@ jobs:
- name: Docker Scout CVE Scan - name: Docker Scout CVE Scan
run: | run: |
docker pull ${{ steps.publish.outputs.image_ref }} docker pull ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.tag.outputs.suffix }}
docker scout cves ${{ steps.publish.outputs.image_ref }} --only-severity critical,high docker scout cves ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.tag.outputs.suffix }} --only-severity critical,high

90
.gitea/workflows/rebuild.yaml
View File

@ -44,13 +44,8 @@ jobs:
tar xzf /tmp/apko.tar.gz --strip-components=1 -C /usr/local/bin tar xzf /tmp/apko.tar.gz --strip-components=1 -C /usr/local/bin
rm /tmp/apko.tar.gz rm /tmp/apko.tar.gz
- name: Install cosign - name: Set up Docker Buildx
run: | uses: docker/setup-buildx-action@v3
COSIGN_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
COSIGN_VERSION=$(curl -fsSL "https://api.github.com/repos/sigstore/cosign/releases/latest" | jq -r '.tag_name')
curl -fsSL "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-${COSIGN_ARCH}" \
-o /usr/local/bin/cosign
chmod +x /usr/local/bin/cosign
- name: Login to Docker Registry - name: Login to Docker Registry
uses: docker/login-action@v3 uses: docker/login-action@v3
@ -65,24 +60,20 @@ jobs:
case "$VARIANT" in case "$VARIANT" in
base|build) base|build)
# Use Wolfi glibc version as base version
UPSTREAM=$(apko resolve ${{ matrix.config }} 2>&1 | grep -oP 'glibc-\K[0-9]+\.[0-9]+' | head -1 || echo "0.0") UPSTREAM=$(apko resolve ${{ matrix.config }} 2>&1 | grep -oP 'glibc-\K[0-9]+\.[0-9]+' | head -1 || echo "0.0")
if [ "$UPSTREAM" = "" ] || [ "$UPSTREAM" = "0.0" ]; then if [ "$UPSTREAM" = "" ] || [ "$UPSTREAM" = "0.0" ]; then
UPSTREAM=$(apko resolve ${{ matrix.config }} 2>&1 | grep -oP 'glibc \(\K[0-9]+\.[0-9]+' | head -1 || echo "2.42") UPSTREAM=$(apko resolve ${{ matrix.config }} 2>&1 | grep -oP 'glibc \(\K[0-9]+\.[0-9]+' | head -1 || echo "2.42")
fi fi
;; ;;
dotnet-runtime) dotnet-runtime)
# Use latest .NET runtime version
UPSTREAM=$(curl -fsSL "https://dotnetcli.azureedge.net/dotnet/release-metadata/releases-index.json" \ UPSTREAM=$(curl -fsSL "https://dotnetcli.azureedge.net/dotnet/release-metadata/releases-index.json" \
| jq -r '[."releases-index"[] | select(."support-phase" == "active" or ."support-phase" == "go-live") | ."latest-runtime"] | sort_by(. | split(".") | map(tonumber)) | last') | jq -r '[."releases-index"[] | select(."support-phase" == "active" or ."support-phase" == "go-live") | ."latest-runtime"] | sort_by(. | split(".") | map(tonumber)) | last')
;; ;;
dotnet-sdk) dotnet-sdk)
# Use latest .NET SDK version
UPSTREAM=$(curl -fsSL "https://dotnetcli.azureedge.net/dotnet/release-metadata/releases-index.json" \ UPSTREAM=$(curl -fsSL "https://dotnetcli.azureedge.net/dotnet/release-metadata/releases-index.json" \
| jq -r '[."releases-index"[] | select(."support-phase" == "active" or ."support-phase" == "go-live") | ."latest-sdk"] | sort_by(. | split(".") | map(tonumber)) | last') | jq -r '[."releases-index"[] | select(."support-phase" == "active" or ."support-phase" == "go-live") | ."latest-sdk"] | sort_by(. | split(".") | map(tonumber)) | last')
;; ;;
flutter-sdk) flutter-sdk)
# Use latest Flutter stable version
UPSTREAM=$(curl -fsSL "https://storage.googleapis.com/flutter_infra_release/releases/releases_linux.json" \ UPSTREAM=$(curl -fsSL "https://storage.googleapis.com/flutter_infra_release/releases/releases_linux.json" \
| jq -r '.current_release.stable as $hash | .releases[] | select(.hash == $hash and .channel == "stable") | .version') | jq -r '.current_release.stable as $hash | .releases[] | select(.hash == $hash and .channel == "stable") | .version')
;; ;;
@ -91,17 +82,13 @@ jobs:
echo "upstream=${UPSTREAM}" >> "$GITHUB_OUTPUT" echo "upstream=${UPSTREAM}" >> "$GITHUB_OUTPUT"
echo "Upstream version for ${VARIANT}: ${UPSTREAM}" echo "Upstream version for ${VARIANT}: ${UPSTREAM}"
# Query DockerHub for existing tags to determine build increment
REPO_NAME="${{ env.IMAGE_NAME }}" REPO_NAME="${{ env.IMAGE_NAME }}"
REGISTRY_URL="${{ secrets.REGISTRY_URL }}" REGISTRY_URL="${{ secrets.REGISTRY_URL }}"
# Extract namespace/repo from registry URL (e.g. docker.io/svrnty -> svrnty)
NAMESPACE=$(echo "$REGISTRY_URL" | sed 's|.*://||; s|.*\.io/||; s|/$||') NAMESPACE=$(echo "$REGISTRY_URL" | sed 's|.*://||; s|.*\.io/||; s|/$||')
# Query DockerHub API for tags matching this variant and version
EXISTING_TAGS=$(curl -s "https://hub.docker.com/v2/repositories/${NAMESPACE}/${REPO_NAME}/tags?page_size=100&name=${VARIANT}-${UPSTREAM}." \ EXISTING_TAGS=$(curl -s "https://hub.docker.com/v2/repositories/${NAMESPACE}/${REPO_NAME}/tags?page_size=100&name=${VARIANT}-${UPSTREAM}." \
| jq -r '.results[]?.name // empty' 2>/dev/null || echo "") | jq -r '.results[]?.name // empty' 2>/dev/null || echo "")
# Find highest build number
MAX_BUILD=0 MAX_BUILD=0
for tag in $EXISTING_TAGS; do for tag in $EXISTING_TAGS; do
BUILD_NUM=$(echo "$tag" | grep -oP "\.\K[0-9]+$" || echo "0") BUILD_NUM=$(echo "$tag" | grep -oP "\.\K[0-9]+$" || echo "0")
@ -115,60 +102,25 @@ jobs:
echo "version_tag=${VERSION_TAG}" >> "$GITHUB_OUTPUT" echo "version_tag=${VERSION_TAG}" >> "$GITHUB_OUTPUT"
echo "Next version tag: ${VERSION_TAG}" echo "Next version tag: ${VERSION_TAG}"
- name: Rebuild and push with latest Wolfi packages - name: Build apko image tarball
id: publish
run: | run: |
IMAGE_LATEST=${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest apko build ${{ matrix.config }} \
IMAGE_VERSIONED=${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version_tag }} ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest \
mkdir -p /tmp/sbom /tmp/image.tar
apko publish ${{ matrix.config }} \ echo 'FROM scratch' > /tmp/Dockerfile
--sbom-path /tmp/sbom \ echo 'ADD image.tar /' >> /tmp/Dockerfile
--image-refs /tmp/image-refs.txt \
"${IMAGE_LATEST}" \
"${IMAGE_VERSIONED}"
echo "image_ref=${IMAGE_LATEST}" >> "$GITHUB_OUTPUT"
echo "image_versioned=${IMAGE_VERSIONED}" >> "$GITHUB_OUTPUT"
DIGEST=$(head -1 /tmp/image-refs.txt | sed 's/.*@//')
echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT"
- name: Attach SBOM attestation - name: Build and push with buildx (SBOM + provenance)
env: uses: docker/build-push-action@v5
COSIGN_YES: "true" with:
run: | context: /tmp
IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}" file: /tmp/Dockerfile
SBOM_FILE=$(ls /tmp/sbom/*.spdx.json 2>/dev/null | head -1) push: true
if [ -n "$SBOM_FILE" ]; then sbom: true
cosign attach sbom --sbom "${SBOM_FILE}" "${IMAGE_DIGEST}" provenance: mode=max
echo "SBOM attached successfully" tags: |
else ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest
echo "No SBOM file found, skipping" ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version_tag }}
fi
- name: Generate and attach provenance
env:
COSIGN_YES: "true"
run: |
IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}"
jq -n \
--arg builder "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
--arg buildType "https://apko.dev/build/v1" \
--arg uri "${{ github.server_url }}/${{ github.repository }}" \
--arg sha1 "${{ github.sha }}" \
--arg entry "${{ matrix.config }}" \
--arg runId "${{ github.run_id }}" \
'{
"builder": {"id": $builder},
"buildType": $buildType,
"invocation": {
"configSource": {"uri": $uri, "digest": {"sha1": $sha1}, "entryPoint": $entry}
},
"metadata": {
"buildInvocationID": $runId,
"completeness": {"parameters": true, "environment": true, "materials": true}
}
}' > /tmp/provenance.json
cosign attest --predicate /tmp/provenance.json --type slsaprovenance "${IMAGE_DIGEST}"
echo "Provenance attestation attached successfully"
- name: Install Docker Scout - name: Install Docker Scout
run: | run: |
@ -177,5 +129,5 @@ jobs:
- name: Docker Scout CVE Scan - name: Docker Scout CVE Scan
run: | run: |
docker pull ${{ steps.publish.outputs.image_ref }} docker pull ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest
docker scout cves ${{ steps.publish.outputs.image_ref }} --only-severity critical,high docker scout cves ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest --only-severity critical,high

82
.gitea/workflows/update-check.yaml
View File

@ -134,13 +134,8 @@ jobs:
tar xzf /tmp/apko.tar.gz --strip-components=1 -C /usr/local/bin tar xzf /tmp/apko.tar.gz --strip-components=1 -C /usr/local/bin
rm /tmp/apko.tar.gz rm /tmp/apko.tar.gz
- name: Install cosign - name: Set up Docker Buildx
run: | uses: docker/setup-buildx-action@v3
COSIGN_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
COSIGN_VERSION=$(curl -fsSL "https://api.github.com/repos/sigstore/cosign/releases/latest" | jq -r '.tag_name')
curl -fsSL "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-${COSIGN_ARCH}" \
-o /usr/local/bin/cosign
chmod +x /usr/local/bin/cosign
- name: Login to Docker Registry - name: Login to Docker Registry
uses: docker/login-action@v3 uses: docker/login-action@v3
@ -197,60 +192,25 @@ jobs:
echo "version_tag=${VERSION_TAG}" >> "$GITHUB_OUTPUT" echo "version_tag=${VERSION_TAG}" >> "$GITHUB_OUTPUT"
echo "Next version tag: ${VERSION_TAG}" echo "Next version tag: ${VERSION_TAG}"
- name: Build and push image - name: Build apko image tarball
id: publish
run: | run: |
IMAGE_LATEST=${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest apko build ${{ matrix.config }} \
IMAGE_VERSIONED=${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version_tag }} ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest \
mkdir -p /tmp/sbom /tmp/image.tar
apko publish ${{ matrix.config }} \ echo 'FROM scratch' > /tmp/Dockerfile
--sbom-path /tmp/sbom \ echo 'ADD image.tar /' >> /tmp/Dockerfile
--image-refs /tmp/image-refs.txt \
"${IMAGE_LATEST}" \
"${IMAGE_VERSIONED}"
echo "image_ref=${IMAGE_LATEST}" >> "$GITHUB_OUTPUT"
echo "image_versioned=${IMAGE_VERSIONED}" >> "$GITHUB_OUTPUT"
DIGEST=$(head -1 /tmp/image-refs.txt | sed 's/.*@//')
echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT"
- name: Attach SBOM attestation - name: Build and push with buildx (SBOM + provenance)
env: uses: docker/build-push-action@v5
COSIGN_YES: "true" with:
run: | context: /tmp
IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}" file: /tmp/Dockerfile
SBOM_FILE=$(ls /tmp/sbom/*.spdx.json 2>/dev/null | head -1) push: true
if [ -n "$SBOM_FILE" ]; then sbom: true
cosign attach sbom --sbom "${SBOM_FILE}" "${IMAGE_DIGEST}" provenance: mode=max
echo "SBOM attached successfully" tags: |
else ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest
echo "No SBOM file found, skipping" ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version_tag }}
fi
- name: Generate and attach provenance
env:
COSIGN_YES: "true"
run: |
IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}"
jq -n \
--arg builder "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
--arg buildType "https://apko.dev/build/v1" \
--arg uri "${{ github.server_url }}/${{ github.repository }}" \
--arg sha1 "${{ github.sha }}" \
--arg entry "${{ matrix.config }}" \
--arg runId "${{ github.run_id }}" \
'{
"builder": {"id": $builder},
"buildType": $buildType,
"invocation": {
"configSource": {"uri": $uri, "digest": {"sha1": $sha1}, "entryPoint": $entry}
},
"metadata": {
"buildInvocationID": $runId,
"completeness": {"parameters": true, "environment": true, "materials": true}
}
}' > /tmp/provenance.json
cosign attest --predicate /tmp/provenance.json --type slsaprovenance "${IMAGE_DIGEST}"
echo "Provenance attestation attached successfully"
- name: Install Docker Scout - name: Install Docker Scout
run: | run: |
@ -259,8 +219,8 @@ jobs:
- name: Docker Scout CVE Scan - name: Docker Scout CVE Scan
run: | run: |
docker pull ${{ steps.publish.outputs.image_ref }} docker pull ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest
docker scout cves ${{ steps.publish.outputs.image_ref }} --only-severity critical,high docker scout cves ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest --only-severity critical,high
notify-flutter: notify-flutter:
name: Create release for new Flutter version name: Create release for new Flutter version