diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index fe5452d1f..83d715e64 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -30,6 +30,7 @@ env: TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }} AUTO_PUSH_IMAGES: ${{ ! contains(fromJSON('["workflow_dispatch"]'), github.event_name) && vars.AUTO_PUSH_IMAGES }} + DOCKER_REGISTRY: ${{ vars.DOCKER_REGISTRY }} DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }} LATEST_BRANCH: ${{ github.event.repository.default_branch }} TRUNK_GIT_BRANCH: "refs/heads/trunk" @@ -171,6 +172,7 @@ jobs: contents: read id-token: write packages: write + attestations: write steps: - name: Block egress traffic uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 @@ -310,7 +312,7 @@ jobs: with: images: | ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} - ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} + ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- @@ -407,6 +409,15 @@ jobs: cosign sign --yes ${images} echo "::endgroup::" + - name: Attest images + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + id: attest + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }} + subject-digest: ${{ steps.docker_build.outputs.digest }} + push-to-registry: true + - name: Image metadata env: CACHE_FILE_NAME: ${{ env.BASE_CACHE_FILE_NAME }} @@ -441,6 +452,7 @@ jobs: contents: read id-token: write packages: write + attestations: write steps: - name: Block egress traffic uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 @@ -520,7 +532,7 @@ jobs: with: images: | ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} - ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} + ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- @@ -570,7 +582,7 @@ jobs: cosign verify \ --certificate-oidc-issuer-regexp "$OIDC_ISSUER" \ --certificate-identity-regexp "$IDENTITY_REGEX" \ - "$BASE_IMAGE" + "$BASE_IMAGE" | jq echo "::endgroup::" - name: Prepare cache data @@ -659,6 +671,15 @@ jobs: cosign sign --yes ${images} echo "::endgroup::" + - name: Attest images + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + id: attest + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }} + subject-digest: ${{ steps.docker_build.outputs.digest }} + push-to-registry: true + - name: Image metadata env: CACHE_FILE_NAME: ${{ env.BUILD_CACHE_FILE_NAME }} @@ -694,6 +715,7 @@ jobs: contents: read id-token: write packages: write + attestations: write steps: - name: Block egress traffic uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 @@ -894,7 +916,7 @@ jobs: with: images: | ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} - ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} + ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- @@ -946,7 +968,7 @@ jobs: cosign verify \ --certificate-oidc-issuer-regexp "${OIDC_ISSUER}" \ --certificate-identity-regexp "${IDENTITY_REGEX}" \ - "${BASE_IMAGE}" + "${BASE_IMAGE}" | jq echo "::endgroup::" - name: Prepare cache data @@ -1013,6 +1035,15 @@ jobs: cosign sign --yes ${images} echo "::endgroup::" + - name: Attest images + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + id: attest + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }} + subject-digest: ${{ steps.docker_build.outputs.digest }} + push-to-registry: true + - name: Image metadata if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} env: diff --git a/.github/workflows/images_build_rhel.yml b/.github/workflows/images_build_rhel.yml index 13c8b29e9..280695b7b 100644 --- a/.github/workflows/images_build_rhel.yml +++ b/.github/workflows/images_build_rhel.yml @@ -12,6 +12,7 @@ on: - 'Dockerfiles/*/rhel/*' - 'build.json' - '!**/README.md' + - '!**/README.html' - '.github/workflows/images_build_rhel.yml' workflow_dispatch: inputs: diff --git a/.github/workflows/images_build_windows.yml b/.github/workflows/images_build_windows.yml index 154f26431..ca365f8a6 100644 --- a/.github/workflows/images_build_windows.yml +++ b/.github/workflows/images_build_windows.yml @@ -27,6 +27,7 @@ env: TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }} AUTO_PUSH_IMAGES: ${{ vars.AUTO_PUSH_IMAGES }} + DOCKER_REGISTRY: ${{ vars.DOCKER_REGISTRY }} DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }} LATEST_BRANCH: ${{ github.event.repository.default_branch }} TRUNK_GIT_BRANCH: "refs/heads/trunk" @@ -148,6 +149,7 @@ jobs: permissions: contents: read id-token: write + attestations: write strategy: fail-fast: false matrix: @@ -192,7 +194,7 @@ jobs: id: meta uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: - images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_IMAGE_NAME }} + images: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_IMAGE_NAME }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}- @@ -307,6 +309,15 @@ jobs: cosign sign --yes $tag_list echo "::endgroup::" + - name: Attest images + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + id: attest + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_IMAGE_NAME }} + subject-digest: ${{ steps.docker_build.outputs.digest }} + push-to-registry: true + - name: Image digest if: ${{ env.AUTO_PUSH_IMAGES }} env: @@ -337,6 +348,7 @@ jobs: permissions: contents: read id-token: write + attestations: write strategy: fail-fast: false matrix: @@ -381,7 +393,7 @@ jobs: id: meta uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: - images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_BUILD_IMAGE_NAME }} + images: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_BUILD_IMAGE_NAME }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.component }}-${{ steps.base_os_tag.outputs.os_tag }}- @@ -430,7 +442,7 @@ jobs: cosign verify ` --certificate-oidc-issuer-regexp "$Env:OIDC_ISSUER" ` --certificate-identity-regexp "$Env:IDENITY_REGEX" ` - "$Env:BASE_IMAGE" + "$Env:BASE_IMAGE" | jq - name: Build and push image id: docker_build @@ -534,6 +546,15 @@ jobs: cosign sign --yes $tag_list echo "::endgroup::" + - name: Attest images + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + id: attest + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ env.BASE_BUILD_IMAGE_NAME }} + subject-digest: ${{ steps.docker_build.outputs.digest }} + push-to-registry: true + - name: Image digest if: ${{ env.AUTO_PUSH_IMAGES }} env: @@ -564,6 +585,7 @@ jobs: permissions: contents: read id-token: write + attestations: write strategy: fail-fast: false matrix: @@ -608,7 +630,7 @@ jobs: id: meta uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: - images: ${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ matrix.component }} + images: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ matrix.component }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ steps.base_os_tag.outputs.os_tag }}- @@ -657,7 +679,7 @@ jobs: cosign verify ` --certificate-oidc-issuer-regexp "$Env:OIDC_ISSUER" ` --certificate-identity-regexp "$Env:IDENITY_REGEX" ` - "$Env:BASE_IMAGE" + "$Env:BASE_IMAGE" | jq - name: Build and push image id: docker_build @@ -774,6 +796,15 @@ jobs: cosign sign --yes $tag_list echo "::endgroup::" + - name: Attest images + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + id: attest + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REPOSITORY }}/${{ env.IMAGES_PREFIX }}${{ matrix.component }} + subject-digest: ${{ steps.docker_build.outputs.digest }} + push-to-registry: true + - name: Image digest if: ${{ env.AUTO_PUSH_IMAGES }} env: