svrnty/docker-base-distro
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 13 Wiki Activity

Fix provenance JSON: use jq instead of heredoc to avoid whitespace
Some checks failed
Check for Upstream Stable Updates / Rebuild and push all variants (apko/flutter-sdk.yaml, flutter-sdk) (push) Blocked by required conditions
Details
Check for Upstream Stable Updates / Create release for new Flutter version (push) Blocked by required conditions
Details
Weekly Rebuild (CVE Updates) / rebuild (apko/base.yaml, base) (push) Failing after 24s
Details
Weekly Rebuild (CVE Updates) / rebuild (apko/build.yaml, build) (push) Failing after 24s
Details
Weekly Rebuild (CVE Updates) / rebuild (apko/dotnet-sdk.yaml, dotnet-sdk) (push) Failing after 27s
Details
Weekly Rebuild (CVE Updates) / rebuild (apko/dotnet-runtime.yaml, dotnet-runtime) (push) Failing after 28s
Details
Check for Upstream Stable Updates / Check Wolfi package updates (push) Successful in 14s
Details
Check for Upstream Stable Updates / Check .NET stable releases (push) Successful in 1s
Details
Check for Upstream Stable Updates / Check Flutter stable releases (push) Successful in 1s
Details
Check for Upstream Stable Updates / Rebuild and push all variants (apko/base.yaml, base) (push) Failing after 17s
Details
Check for Upstream Stable Updates / Rebuild and push all variants (apko/build.yaml, build) (push) Failing after 21s
Details
Check for Upstream Stable Updates / Rebuild and push all variants (apko/dotnet-runtime.yaml, dotnet-runtime) (push) Failing after 20s
Details
Weekly Rebuild (CVE Updates) / rebuild (apko/flutter-sdk.yaml, flutter-sdk) (push) Has been cancelled
Details
Check for Upstream Stable Updates / Rebuild and push all variants (apko/dotnet-sdk.yaml, dotnet-sdk) (push) Has been cancelled
Details

Browse Source 
The heredoc with YAML indentation produced JSON with leading spaces,
causing cosign to fail with "required field builder missing". Use
jq -n with --arg to generate clean JSON.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Mathias Beaulieu-Duncan 2026-02-02 10:17:16 -05:00
parent 2e07c31e99
commit dcedc113e8
3 changed files with 78 additions and 106 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
.gitea/workflows/publish.yaml
View File

@ -96,44 +96,34 @@ jobs:
COSIGN_YES: "true" COSIGN_YES: "true"
run: | run: |
IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}" IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}"
# Generate SLSA-style provenance DIGEST_SHA=$(echo '${{ steps.publish.outputs.digest }}' | sed 's/sha256://')
cat > /tmp/provenance.json << PROVEOF jq -n \
{ --arg type "https://in-toto.io/Statement/v0.1" \
"_type": "https://in-toto.io/Statement/v0.1", --arg predType "https://slsa.dev/provenance/v0.2" \
"predicateType": "https://slsa.dev/provenance/v0.2", --arg name "${{ steps.publish.outputs.image_ref }}" \
"subject": [ --arg sha "$DIGEST_SHA" \
{ --arg builder "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
"name": "${{ steps.publish.outputs.image_ref }}", --arg buildType "https://apko.dev/build/v1" \
"digest": { --arg uri "${{ github.server_url }}/${{ github.repository }}" \
"sha256": "$(echo '${{ steps.publish.outputs.digest }}' | sed 's/sha256://')" --arg sha1 "${{ github.sha }}" \
--arg entry "${{ matrix.config }}" \
--arg runId "${{ github.run_id }}" \
'{
"_type": $type,
"predicateType": $predType,
"subject": [{"name": $name, "digest": {"sha256": $sha}}],
"predicate": {
"builder": {"id": $builder},
"buildType": $buildType,
"invocation": {
"configSource": {"uri": $uri, "digest": {"sha1": $sha1}, "entryPoint": $entry}
},
"metadata": {
"buildInvocationID": $runId,
"completeness": {"parameters": true, "environment": true, "materials": true}
} }
} }
], }' > /tmp/provenance.json
"predicate": {
"buildType": "https://apko.dev/build/v1",
"builder": {
"id": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
},
"invocation": {
"configSource": {
"uri": "${{ github.server_url }}/${{ github.repository }}",
"digest": {
"sha1": "${{ github.sha }}"
},
"entryPoint": "${{ matrix.config }}"
}
},
"metadata": {
"buildInvocationID": "${{ github.run_id }}",
"completeness": {
"parameters": true,
"environment": true,
"materials": true
}
}
}
}
PROVEOF
cosign attest --predicate /tmp/provenance.json --type slsaprovenance "${IMAGE_DIGEST}" cosign attest --predicate /tmp/provenance.json --type slsaprovenance "${IMAGE_DIGEST}"
echo "Provenance attestation attached successfully" echo "Provenance attestation attached successfully"

61
.gitea/workflows/rebuild.yaml
View File

@ -89,43 +89,34 @@ jobs:
COSIGN_YES: "true" COSIGN_YES: "true"
run: | run: |
IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}" IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}"
cat > /tmp/provenance.json << PROVEOF DIGEST_SHA=$(echo '${{ steps.publish.outputs.digest }}' | sed 's/sha256://')
{ jq -n \
"_type": "https://in-toto.io/Statement/v0.1", --arg type "https://in-toto.io/Statement/v0.1" \
"predicateType": "https://slsa.dev/provenance/v0.2", --arg predType "https://slsa.dev/provenance/v0.2" \
"subject": [ --arg name "${{ steps.publish.outputs.image_ref }}" \
{ --arg sha "$DIGEST_SHA" \
"name": "${{ steps.publish.outputs.image_ref }}", --arg builder "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
"digest": { --arg buildType "https://apko.dev/build/v1" \
"sha256": "$(echo '${{ steps.publish.outputs.digest }}' | sed 's/sha256://')" --arg uri "${{ github.server_url }}/${{ github.repository }}" \
--arg sha1 "${{ github.sha }}" \
--arg entry "${{ matrix.config }}" \
--arg runId "${{ github.run_id }}" \
'{
"_type": $type,
"predicateType": $predType,
"subject": [{"name": $name, "digest": {"sha256": $sha}}],
"predicate": {
"builder": {"id": $builder},
"buildType": $buildType,
"invocation": {
"configSource": {"uri": $uri, "digest": {"sha1": $sha1}, "entryPoint": $entry}
},
"metadata": {
"buildInvocationID": $runId,
"completeness": {"parameters": true, "environment": true, "materials": true}
} }
} }
], }' > /tmp/provenance.json
"predicate": {
"buildType": "https://apko.dev/build/v1",
"builder": {
"id": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
},
"invocation": {
"configSource": {
"uri": "${{ github.server_url }}/${{ github.repository }}",
"digest": {
"sha1": "${{ github.sha }}"
},
"entryPoint": "${{ matrix.config }}"
}
},
"metadata": {
"buildInvocationID": "${{ github.run_id }}",
"completeness": {
"parameters": true,
"environment": true,
"materials": true
}
}
}
}
PROVEOF
cosign attest --predicate /tmp/provenance.json --type slsaprovenance "${IMAGE_DIGEST}" cosign attest --predicate /tmp/provenance.json --type slsaprovenance "${IMAGE_DIGEST}"
echo "Provenance attestation attached successfully" echo "Provenance attestation attached successfully"

61
.gitea/workflows/update-check.yaml
View File

@ -179,43 +179,34 @@ jobs:
COSIGN_YES: "true" COSIGN_YES: "true"
run: | run: |
IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}" IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}"
cat > /tmp/provenance.json << PROVEOF DIGEST_SHA=$(echo '${{ steps.publish.outputs.digest }}' | sed 's/sha256://')
{ jq -n \
"_type": "https://in-toto.io/Statement/v0.1", --arg type "https://in-toto.io/Statement/v0.1" \
"predicateType": "https://slsa.dev/provenance/v0.2", --arg predType "https://slsa.dev/provenance/v0.2" \
"subject": [ --arg name "${{ steps.publish.outputs.image_ref }}" \
{ --arg sha "$DIGEST_SHA" \
"name": "${{ steps.publish.outputs.image_ref }}", --arg builder "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
"digest": { --arg buildType "https://apko.dev/build/v1" \
"sha256": "$(echo '${{ steps.publish.outputs.digest }}' | sed 's/sha256://')" --arg uri "${{ github.server_url }}/${{ github.repository }}" \
--arg sha1 "${{ github.sha }}" \
--arg entry "${{ matrix.config }}" \
--arg runId "${{ github.run_id }}" \
'{
"_type": $type,
"predicateType": $predType,
"subject": [{"name": $name, "digest": {"sha256": $sha}}],
"predicate": {
"builder": {"id": $builder},
"buildType": $buildType,
"invocation": {
"configSource": {"uri": $uri, "digest": {"sha1": $sha1}, "entryPoint": $entry}
},
"metadata": {
"buildInvocationID": $runId,
"completeness": {"parameters": true, "environment": true, "materials": true}
} }
} }
], }' > /tmp/provenance.json
"predicate": {
"buildType": "https://apko.dev/build/v1",
"builder": {
"id": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
},
"invocation": {
"configSource": {
"uri": "${{ github.server_url }}/${{ github.repository }}",
"digest": {
"sha1": "${{ github.sha }}"
},
"entryPoint": "${{ matrix.config }}"
}
},
"metadata": {
"buildInvocationID": "${{ github.run_id }}",
"completeness": {
"parameters": true,
"environment": true,
"materials": true
}
}
}
}
PROVEOF
cosign attest --predicate /tmp/provenance.json --type slsaprovenance "${IMAGE_DIGEST}" cosign attest --predicate /tmp/provenance.json --type slsaprovenance "${IMAGE_DIGEST}"
echo "Provenance attestation attached successfully" echo "Provenance attestation attached successfully"