Skip to content

feat: add attest-images action for container image build provenance attestation#864

Open
neilime with Copilot wants to merge 5 commits into
mainfrom
copilot/update-container-supply-chain-workflow
Open

feat: add attest-images action for container image build provenance attestation#864
neilime with Copilot wants to merge 5 commits into
mainfrom
copilot/update-container-supply-chain-workflow

Conversation

Copilot AI commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Adds a dedicated actions/docker/attest-images composite action for SLSA build provenance attestation using actions/attest (not actions/attest-build-provenance, which GitHub now deprecates for new implementations). Signing and attestation are distinct supply-chain controls — this keeps them properly separated.

New action: actions/docker/attest-images

  • Accepts the same images input format as sign-images (registry/name:tag@digest, JSON array, or delimited string)
  • Deduplicates by registry/name + digest — multiple tags sharing a digest produce one attestation
  • Calls actions/attest@v4.1.1 (SHA-pinned) per unique subject; supports up to 5 unique images per invocation via static conditional steps (composite actions cannot dynamically loop over uses: steps)
  • push-to-registry: true by default, storing the attestation as an OCI artifact alongside the image
  • Required permissions: id-token: write, attestations: write

Updated: docker-build-images reusable workflow

Adds an attest boolean input (default false) that triggers attestation after manifest publication, mirroring the existing sign input pattern:

uses: hoverkraft-tech/ci-github-container/.github/workflows/docker-build-images.yml@main
with:
  sign: true    # cosign registry-native signature
  attest: true  # GitHub-native SLSA provenance attestation

The publish-manifests job gains attestations: write permission (only exercised when attest: true).

Signing vs. attestation

Control Action What it proves
Signature sign-images (cosign) Image was signed by a trusted identity — registry-native
Provenance attest-images (this PR) Image was built by a specific workflow on a specific commit — GitHub-native

Both should be used together for a complete supply-chain posture. Attestations can be verified with gh attestation verify oci://ghcr.io/….

Copilot AI changed the title [WIP] Update workflow for container supply-chain with image provenance feat: add attest-images action for container image build provenance attestation Jul 7, 2026
Copilot AI requested a review from neilime July 7, 2026 14:41
@neilime neilime marked this pull request as ready for review July 7, 2026 14:52

@neilime neilime left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot add CI tests

Copilot AI commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

@copilot add CI tests

Added in commit fix: use if/else in attestation assertion step (and its predecessor).

Created .github/workflows/__test-workflow-docker-build-images-attestation.yml following the arrange/act/assert/cleanup pattern used by existing test workflows:

  • Arrange — generates a matrix of 3 cases: mono-arch attested, multi-arch attested, and mono-arch not-attested
  • Act — calls docker-build-images.yml with attest: ${{ matrix.attest }} and sign: false
  • Assert — runs gh attestation verify oci://ghcr.io/… to confirm attested images have provenance and non-attested images do not
  • Cleanup — deletes ephemeral test packages

Also registered the new test in __shared-ci.yml (with attestations: write) and propagated attestations: write to the CI caller workflows (__pull-request-ci.yml, __main-ci.yml).

Copilot AI requested a review from neilime July 8, 2026 11:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants