svrnty/talos-rpi5
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 23 Wiki Activity

Add supply chain attestation to installer image via crane + buildx
Some checks failed
Build Talos CM5 Image / build (push) Successful in 5m19s
Details
Check Upstream Updates / check-and-build (push) Failing after 13s
Details

Browse Source 
Push the full installer tar with crane first (preserving all layers),
then re-wrap with docker buildx to add provenance and SBOM attestation
for Docker Scout compliance. Buildx can pull the image from the registry
since crane already pushed it, avoiding the docker-container driver
limitation with locally loaded images.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Mathias Beaulieu-Duncan 2026-02-13 21:57:54 -05:00
parent 784fb4d5f6
commit 58b9ccb56c
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Makefile
View File

@ -188,6 +188,10 @@ installer:
--base-installer-image="$(INSTALLER_IMAGE):base-$(TALOS_TAG)" \ --base-installer-image="$(INSTALLER_IMAGE):base-$(TALOS_TAG)" \
$(IMAGER_COMMON_FLAGS) && \ $(IMAGER_COMMON_FLAGS) && \
crane push ./_out/installer-arm64.tar $(INSTALLER_IMAGE):$(TALOS_TAG) && \ crane push ./_out/installer-arm64.tar $(INSTALLER_IMAGE):$(TALOS_TAG) && \
printf "FROM $(INSTALLER_IMAGE):$(TALOS_TAG)\n" | docker buildx build \
--platform linux/arm64 \
$(ATTESTATION_ARGS) \
-t $(INSTALLER_IMAGE):$(TALOS_TAG) --push - && \
docker \ docker \
run --rm -t -v ./_out:/out -v /dev:/dev --privileged \ run --rm -t -v ./_out:/out -v /dev:/dev --privileged \
$(IMAGER_IMAGE):$(TALOS_TAG) \ $(IMAGER_IMAGE):$(TALOS_TAG) \