Add supply chain attestation to installer image via crane + buildx
Push the full installer tar with crane first (preserving all layers), then re-wrap with docker buildx to add provenance and SBOM attestation for Docker Scout compliance. Buildx can pull the image from the registry since crane already pushed it, avoiding the docker-container driver limitation with locally loaded images. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Mathias Beaulieu-Duncan
parent
784fb4d5f6
commit
58b9ccb56c
4
Makefile
4
Makefile
@ -188,6 +188,10 @@ installer:
|
||||
--base-installer-image="$(INSTALLER_IMAGE):base-$(TALOS_TAG)" \
|
||||
$(IMAGER_COMMON_FLAGS) && \
|
||||
crane push ./_out/installer-arm64.tar $(INSTALLER_IMAGE):$(TALOS_TAG) && \
|
||||
printf "FROM $(INSTALLER_IMAGE):$(TALOS_TAG)\n" | docker buildx build \
|
||||
--platform linux/arm64 \
|
||||
$(ATTESTATION_ARGS) \
|
||||
-t $(INSTALLER_IMAGE):$(TALOS_TAG) --push - && \
|
||||
docker \
|
||||
run --rm -t -v ./_out:/out -v /dev:/dev --privileged \
|
||||
$(IMAGER_IMAGE):$(TALOS_TAG) \
|
||||
|
||||
Loading…
Reference in New Issue
Block a user