Skip to content

feat: add image attestation workflow step#5158

Merged
GenPage merged 3 commits intorunatlantis:mainfrom
notdurson:signing-and-sbom
Dec 19, 2024
Merged

feat: add image attestation workflow step#5158
GenPage merged 3 commits intorunatlantis:mainfrom
notdurson:signing-and-sbom

Conversation

@notdurson
Copy link
Contributor

@notdurson notdurson commented Dec 12, 2024
edited by nitrocode
Loading

what

  • This change adds a step to the container build workflow which signs the resulting images and stores the attestation/signature for review by users.

why

tests

  • local cosign run was successful.

references

@notdurson notdurson requested review from a team as code owners December 12, 2024 20:59
@notdurson notdurson requested review from GenPage, X-Guardian and nitrocode and removed request for a team December 12, 2024 20:59
@dosubot dosubot bot added the docker Pull requests that update Docker code label Dec 12, 2024
@jamengual jamengual changed the title add image attestation workflow step fix: add image attestation workflow step Dec 12, 2024
@bmbeverst
Copy link

bmbeverst commented Dec 12, 2024

Looks like this needs some additional permissions per step one of the action's docs.

@notdurson
Copy link
Contributor Author

notdurson commented Dec 12, 2024

I can't see the vuln that Fossa's complaining about. @nitrocode can you take a look?

@jamengual
Copy link
Contributor

jamengual commented Dec 12, 2024

image

robertchrk
robertchrk reviewed Dec 13, 2024
View reviewed changes
robertchrk
robertchrk reviewed Dec 13, 2024
View reviewed changes
nitrocode
nitrocode reviewed Dec 13, 2024
View reviewed changes
@nitrocode
Copy link
Member

nitrocode commented Dec 13, 2024

Thanks for the contribution!

Could you test this out in your fork by merging your signing-and-sbom branch into your fork's main branch? That should trigger a push and then we can then look at the released image to see if it successfully added image attestation.

@chenrui333 chenrui333 added the feature New functionality/enhancement label Dec 15, 2024
@chenrui333
Copy link
Member

chenrui333 commented Dec 15, 2024

the vulnerbility issue should be fixed per #5165

chenrui333
chenrui333 previously approved these changes Dec 15, 2024
View reviewed changes
Copy link
Member

@chenrui333 chenrui333 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Dec 15, 2024
@chenrui333 chenrui333 changed the title fix: add image attestation workflow step feat: add image attestation workflow step Dec 15, 2024
@notdurson
Copy link
Contributor Author

notdurson commented Dec 16, 2024

@nitrocode @chenrui333 Friends, thank you for your patience. We conducted some additional tests and were able to successfully sign/attest to an image in my fork.

I would appreciate it if you could review the most recent commit here, and give it a maintainer-grade 👍 if you're okay with it.

jamengual
jamengual reviewed Dec 17, 2024
View reviewed changes
@notdurson
Copy link
Contributor Author

notdurson commented Dec 18, 2024
edited
Loading

@jamengual ok - it's still failing, but that's expected. it's because we're hitting this issue in the attest-build-provenance action - tl;dr, the action won't run if it's run as part of a merge from a fork, the merge has to be completed from a branch in the same repo.

in my fork, the attestation works on the latest build. are you comfortable approving a merge with this in mind?

@notdurson notdurson mentioned this pull request Dec 19, 2024
Closed
1 task
@GenPage
Copy link
Member

GenPage commented Dec 19, 2024

The image building is expected to fail because the github token changes are not merged to main yet.

@GenPage
Copy link
Member

GenPage commented Dec 19, 2024

@notdurson question, I saw we were gating the attest and push on the global PUSH var. Why was it removed?

remove conditional for image attestation step

@notdurson
Copy link
Contributor Author

notdurson commented Dec 19, 2024

@GenPage I removed it because it was causing the attestation step to skip during test builds. I can include dependency updates in tests in the future, in order to trigger a push; however, this might fail due to my lack of member/maintainer permission. It'll also slow down the process.

Would you like me to add the gate back, or are you okay with leaving it out?

@GenPage
Copy link
Member

GenPage commented Dec 19, 2024

@notdurson Ah, so it was for testing. Our main image has a gate for pushing where we want to test builds and not push (on PRs). Let's add it back for consistency unless I misunderstand the attestation point. It should only be required for images pushed not solely built correct?

@plygrnd
Copy link

plygrnd commented Dec 19, 2024

@GenPage Sounds good, incoming!

@notdurson
Copy link
Contributor Author

notdurson commented Dec 19, 2024

@GenPage @jamengual apologies for delay. I cleaned the tree and force-pushed the relevant changes.

@GenPage GenPage merged commit 91574ef into runatlantis:main Dec 19, 2024
@notdurson notdurson deleted the signing-and-sbom branch December 19, 2024 21:37
@BrewTestBot BrewTestBot mentioned this pull request Dec 20, 2024
Merged
1 task
@notdurson notdurson mentioned this pull request Dec 20, 2024
Closed
1 task
@notdurson notdurson mentioned this pull request Dec 30, 2024
Merged
kvanzuijlen pushed a commit to kvanzuijlen/atlantis that referenced this pull request Jan 4, 2025
@notdurson @kvanzuijlen
feat: add image attestation workflow step (runatlantis#5158)
013eb99 
Signed-off-by: Dan Urson <[email protected]>
Signed-off-by: kvanzuijlen <[email protected]>
lukaspj pushed a commit to lukaspj/atlantis that referenced this pull request Jan 8, 2025
@notdurson @lukaspj
feat: add image attestation workflow step (runatlantis#5158)
ec55777 
Signed-off-by: Dan Urson <[email protected]>
Signed-off-by: Lukas Peter Aldershaab <[email protected]>
This was referenced Jan 27, 2025
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nitrocode nitrocode nitrocode left review comments

@jamengual jamengual jamengual approved these changes

@chenrui333 chenrui333 chenrui333 left review comments

@GenPage GenPage Awaiting requested review from GenPage GenPage was automatically assigned from runatlantis/maintainers

@X-Guardian X-Guardian Awaiting requested review from X-Guardian X-Guardian was automatically assigned from runatlantis/core-contributors

+1 more reviewer

@robertchrk robertchrk robertchrk left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

docker Pull requests that update Docker code feature New functionality/enhancement github-actions lgtm This PR has been approved by a maintainer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Start signing Atlantis containers and providing signatures/SBOMs for new releases

8 participants

@notdurson @bmbeverst @jamengual @nitrocode @chenrui333 @GenPage @plygrnd @robertchrk