ci: replace BuildKit attestations with proper signed provenance#31
Open
YagUber wants to merge 1 commit intoPNRxA:mainfrom
Open
ci: replace BuildKit attestations with proper signed provenance#31YagUber wants to merge 1 commit intoPNRxA:mainfrom
YagUber wants to merge 1 commit intoPNRxA:mainfrom
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The GHCR container page currently shows
unknown/unknownentries alongsidelinux/amd64andlinux/arm64. This is caused by BuildKit automatically embedding attestation metadata directly into the image manifest, which GHCR displays as an extra platform entry.Inspecting the manifest confirms these are BuildKit embedded attestations, each has a
vnd.docker.reference.type: attestation-manifestannotation referencing its respective platform image:$ docker buildx imagetools inspect ghcr.io/pnrxa/openposterdb:latest Manifests: Name: ghcr.io/pnrxa/openposterdb:latest@sha256:f9ffa3a13919dcba90a3e1edc3df3ebfcc8ebb16bacb4fab6d6e4ef658fe5f2d MediaType: application/vnd.oci.image.manifest.v1+json Platform: linux/amd64 Name: ghcr.io/pnrxa/openposterdb:latest@sha256:ce0ddfe5c1bb96099f77f87f786c69595f6f36194efa0dee66c202f140507645 MediaType: application/vnd.oci.image.manifest.v1+json Platform: unknown/unknown Annotations: vnd.docker.reference.digest: sha256:f9ffa3a13919dcba90a3e1edc3df3ebfcc8ebb16bacb4fab6d6e4ef658fe5f2d vnd.docker.reference.type: attestation-manifest Name: ghcr.io/pnrxa/openposterdb:latest@sha256:6a779932e07bf430d21fe8f78268c4465a8168995331f4033f4f7b3b15771318 MediaType: application/vnd.oci.image.manifest.v1+json Platform: linux/arm64 Name: ghcr.io/pnrxa/openposterdb:latest@sha256:503461cba08afa6a46a51aa9ff98c6b229fad1396412e16810daf094f8e2cf83 MediaType: application/vnd.oci.image.manifest.v1+json Platform: unknown/unknown Annotations: vnd.docker.reference.digest: sha256:6a779932e07bf430d21fe8f78268c4465a8168995331f4033f4f7b3b15771318 vnd.docker.reference.type: attestation-manifestThis PR fixes that by:
provenance: falseto the build step to disable BuildKit's automatic attestation embeddingactions/attestvia Sigstore/OIDC