From 58b9ccb56c266ac9d11917a373fd63376c31674e Mon Sep 17 00:00:00 2001
From: Mathias Beaulieu-Duncan <mathias@svrnty.io>
Date: Fri, 13 Feb 2026 21:57:54 -0500
Subject: [PATCH] Add supply chain attestation to installer image via crane +
 buildx

Push the full installer tar with crane first (preserving all layers),
then re-wrap with docker buildx to add provenance and SBOM attestation
for Docker Scout compliance. Buildx can pull the image from the registry
since crane already pushed it, avoiding the docker-container driver
limitation with locally loaded images.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 Makefile | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/Makefile b/Makefile
index b4948d1..1c89a19 100644
--- a/Makefile
+++ b/Makefile
@@ -188,6 +188,10 @@ installer:
 			--base-installer-image="$(INSTALLER_IMAGE):base-$(TALOS_TAG)" \
 			$(IMAGER_COMMON_FLAGS) && \
 		crane push ./_out/installer-arm64.tar $(INSTALLER_IMAGE):$(TALOS_TAG) && \
+		printf "FROM $(INSTALLER_IMAGE):$(TALOS_TAG)\n" | docker buildx build \
+			--platform linux/arm64 \
+			$(ATTESTATION_ARGS) \
+			-t $(INSTALLER_IMAGE):$(TALOS_TAG) --push - && \
 		docker \
 			run --rm -t -v ./_out:/out -v /dev:/dev --privileged \
 			$(IMAGER_IMAGE):$(TALOS_TAG) \