From e8d3cafb81a83ea3d2a923406addeefbf0a0a397 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Tue, 11 Mar 2025 11:20:46 +0000 Subject: [PATCH 1/5] chore: enable SBOM and fix Docker multiarch manifests with attestations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Enable SBOM and provenance attestations in Docker builds - Update build_docker_multiarch.sh to handle images with attestations - Fix issue with Docker manifest creation for images with multiple attestation manifests - Make Docker daemon config use containerd by default 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude Signed-off-by: Thomas Kosiewski --- .github/workflows/release.yaml | 1 + dogfood/coder/files/etc/docker/daemon.json | 5 ++++- scripts/build_docker.sh | 4 +++- scripts/build_docker_multiarch.sh | 21 ++++++++++++++++----- 4 files changed, 24 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a963a7da6b19a..b381e2c4447e2 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -361,6 +361,7 @@ jobs: file: scripts/Dockerfile.base platforms: linux/amd64,linux/arm64,linux/arm/v7 provenance: true + sbom: true pull: true no-cache: true push: true diff --git a/dogfood/coder/files/etc/docker/daemon.json b/dogfood/coder/files/etc/docker/daemon.json index c2cbc52c3cc45..33b0126288fda 100644 --- a/dogfood/coder/files/etc/docker/daemon.json +++ b/dogfood/coder/files/etc/docker/daemon.json @@ -1,3 +1,6 @@ { - "registry-mirrors": ["https://mirror.gcr.io"] + "registry-mirrors": ["https://mirror.gcr.io"], + "features": { + "containerd-snapshotter": true + } } diff --git a/scripts/build_docker.sh b/scripts/build_docker.sh index 1bee954e9713c..bf3e3bb8116bb 100755 --- a/scripts/build_docker.sh +++ b/scripts/build_docker.sh @@ -136,10 +136,12 @@ fi log "--- Building Docker image for $arch ($image_tag)" -docker build \ +docker buildx build \ --platform "$arch" \ --build-arg "BASE_IMAGE=$base_image" \ --build-arg "CODER_VERSION=$version" \ + --provenance true \ + --sbom true \ --no-cache \ --tag "$image_tag" \ -f Dockerfile \ diff --git a/scripts/build_docker_multiarch.sh b/scripts/build_docker_multiarch.sh index f2ce0c16f59ac..aa7334ce4a30a 100755 --- a/scripts/build_docker_multiarch.sh +++ b/scripts/build_docker_multiarch.sh @@ -77,13 +77,24 @@ done # Sadly, manifests don't seem to support labels. log "--- Creating multi-arch Docker image ($target)" -docker manifest create \ - "$target" \ - "${create_args[@]}" + +# Create a buildx builder instance if it doesn't exist +if ! docker buildx inspect multiarch-builder &>/dev/null; then + docker buildx create --name multiarch-builder --use +fi + +# Create manifest with buildx imagetools +log "--- Creating multi-arch manifest with attestations" + +# For images with attestations, we preserve the entire structure by using image tags directly, +# letting Docker handle retrieving both the architecture manifests and attestation manifests +docker buildx imagetools create --tag "$target" "$@" if [[ "$push" == 1 ]]; then - log "--- Pushing multi-arch Docker image ($target)" - docker manifest push "$target" + log "--- Verifying multi-arch Docker image ($target)" + # The manifest is already created and pushed when using buildx imagetools create + # We just need to verify it exists + docker buildx imagetools inspect "$target" fi echo "$target" From 0ea76fefccdc73a257b23ee3b3b29a8ca7001d64 Mon Sep 17 00:00:00 2001 From: Thomas Kosiewski Date: Wed, 12 Mar 2025 14:15:50 +0100 Subject: [PATCH 2/5] chore: add syft and cosign for sbom attestation Change-Id: I3f9b6e0447713eb16e50af9b1645d6cacf1af9fa Signed-off-by: Thomas Kosiewski --- .github/workflows/ci.yaml | 11 +++++++++++ .github/workflows/release.yaml | 11 +++++++++++ dogfood/coder/Dockerfile | 12 ++++++++++-- flake.nix | 2 ++ scripts/build_docker.sh | 17 ++++++++++++++--- scripts/build_docker_multiarch.sh | 21 +++++---------------- 6 files changed, 53 insertions(+), 21 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index cb44105012315..a0b288ba2f9c7 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1024,6 +1024,7 @@ jobs: # Necessary to push docker images to ghcr.io. packages: write # Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage) + # Also necessary for keyless cosign (https://docs.sigstore.dev/cosign/signing/overview/) id-token: write env: DOCKER_CLI_EXPERIMENTAL: "enabled" @@ -1069,6 +1070,16 @@ jobs: - name: Install zstd run: sudo apt-get install -y zstd + - name: Install cosign + uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1 + with: + cosign-release: "v2.4.3" + + - name: Install syft + uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0 + with: + syft-version: "v1.20.0" + - name: Setup Windows EV Signing Certificate run: | set -euo pipefail diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index b381e2c4447e2..459f945dbe632 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -122,6 +122,7 @@ jobs: # Necessary to push docker images to ghcr.io. packages: write # Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage) + # Also necessary for keyless cosign (https://docs.sigstore.dev/cosign/signing/overview/) id-token: write env: # Necessary for Docker manifest @@ -246,6 +247,16 @@ jobs: apple-codesign-0.22.0-x86_64-unknown-linux-musl/rcodesign rm /tmp/rcodesign.tar.gz + - name: Install cosign + uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1 + with: + cosign-release: "v2.4.3" + + - name: Install syft + uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0 + with: + syft-version: "v1.20.0" + - name: Setup Apple Developer certificate and API key run: | set -euo pipefail diff --git a/dogfood/coder/Dockerfile b/dogfood/coder/Dockerfile index c0fff117e8940..4cf8044977a33 100644 --- a/dogfood/coder/Dockerfile +++ b/dogfood/coder/Dockerfile @@ -278,7 +278,9 @@ ARG CLOUD_SQL_PROXY_VERSION=2.2.0 \ KUBECTX_VERSION=0.9.4 \ STRIPE_VERSION=1.14.5 \ TERRAGRUNT_VERSION=0.45.11 \ - TRIVY_VERSION=0.41.0 + TRIVY_VERSION=0.41.0 \ + SYFT_VERSION=1.20.0 \ + COSIGN_VERSION=2.4.3 # cloud_sql_proxy, for connecting to cloudsql instances # the upstream go.mod prevents this from being installed with go install @@ -316,7 +318,13 @@ RUN curl --silent --show-error --location --output /usr/local/bin/cloud_sql_prox chmod a=rx /usr/local/bin/terragrunt && \ # AquaSec Trivy for scanning container images for security issues curl --silent --show-error --location "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" | \ - tar --extract --gzip --directory=/usr/local/bin --file=- trivy + tar --extract --gzip --directory=/usr/local/bin --file=- trivy && \ + # Anchore Syft for SBOM generation + curl --silent --show-error --location "https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux-amd64.tar.gz" | \ + tar --extract --gzip --directory=/usr/local/bin --file=- syft \ + # Sigstore Cosign for artifact signing and attestation + curl --silent --show-error --location --output /usr/local/bin/cosign "https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64" && \ + chmod a=rx /usr/local/bin/cosign # We use yq during "make deploy" to manually substitute out fields in # our helm values.yaml file. See https://github.com/helm/helm/issues/3141 diff --git a/flake.nix b/flake.nix index f88661ebf16cc..bb8f466383f04 100644 --- a/flake.nix +++ b/flake.nix @@ -113,6 +113,7 @@ bat cairo curl + cosign delve dive drpc.defaultPackage.${system} @@ -161,6 +162,7 @@ shellcheck (pinnedPkgs.shfmt) sqlc + syft unstablePkgs.terraform typos which diff --git a/scripts/build_docker.sh b/scripts/build_docker.sh index bf3e3bb8116bb..66c21b361afaa 100755 --- a/scripts/build_docker.sh +++ b/scripts/build_docker.sh @@ -136,12 +136,10 @@ fi log "--- Building Docker image for $arch ($image_tag)" -docker buildx build \ +docker build \ --platform "$arch" \ --build-arg "BASE_IMAGE=$base_image" \ --build-arg "CODER_VERSION=$version" \ - --provenance true \ - --sbom true \ --no-cache \ --tag "$image_tag" \ -f Dockerfile \ @@ -155,4 +153,17 @@ if [[ "$push" == 1 ]]; then docker push "$image_tag" 1>&2 fi +log "--- Generating SBOM for Docker image ($image_tag)" +syft "$image_tag" -o spdx-json >"${image_tag}.spdx.json" + +if [[ "$push" == 1 ]]; then + log "--- Attesting SBOM to Docker image for $arch ($image_tag)" + COSIGN_EXPERIMENTAL=1 cosign clean "$image_tag" + + COSIGN_EXPERIMENTAL=1 cosign attest --type spdxjson \ + --predicate "${image_tag}.spdx.json" \ + --yes \ + "$image_tag" +fi + echo "$image_tag" diff --git a/scripts/build_docker_multiarch.sh b/scripts/build_docker_multiarch.sh index aa7334ce4a30a..f2ce0c16f59ac 100755 --- a/scripts/build_docker_multiarch.sh +++ b/scripts/build_docker_multiarch.sh @@ -77,24 +77,13 @@ done # Sadly, manifests don't seem to support labels. log "--- Creating multi-arch Docker image ($target)" - -# Create a buildx builder instance if it doesn't exist -if ! docker buildx inspect multiarch-builder &>/dev/null; then - docker buildx create --name multiarch-builder --use -fi - -# Create manifest with buildx imagetools -log "--- Creating multi-arch manifest with attestations" - -# For images with attestations, we preserve the entire structure by using image tags directly, -# letting Docker handle retrieving both the architecture manifests and attestation manifests -docker buildx imagetools create --tag "$target" "$@" +docker manifest create \ + "$target" \ + "${create_args[@]}" if [[ "$push" == 1 ]]; then - log "--- Verifying multi-arch Docker image ($target)" - # The manifest is already created and pushed when using buildx imagetools create - # We just need to verify it exists - docker buildx imagetools inspect "$target" + log "--- Pushing multi-arch Docker image ($target)" + docker manifest push "$target" fi echo "$target" From b84ddea643e26b71a67229994e6b39f48c505b87 Mon Sep 17 00:00:00 2001 From: M Atif Ali Date: Wed, 12 Mar 2025 22:12:37 +0500 Subject: [PATCH 3/5] Discard changes to dogfood/coder/files/etc/docker/daemon.json --- dogfood/coder/files/etc/docker/daemon.json | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/dogfood/coder/files/etc/docker/daemon.json b/dogfood/coder/files/etc/docker/daemon.json index 33b0126288fda..c2cbc52c3cc45 100644 --- a/dogfood/coder/files/etc/docker/daemon.json +++ b/dogfood/coder/files/etc/docker/daemon.json @@ -1,6 +1,3 @@ { - "registry-mirrors": ["https://mirror.gcr.io"], - "features": { - "containerd-snapshotter": true - } + "registry-mirrors": ["https://mirror.gcr.io"] } From 3ab1ab62c7555ef3c63cc583e13318df76938908 Mon Sep 17 00:00:00 2001 From: Thomas Kosiewski Date: Thu, 13 Mar 2025 12:48:07 +0100 Subject: [PATCH 4/5] chore: add GitHub Actions attestations for SLSA provenance on Docker images This adds GitHub Actions attestations to both CI and release workflows, providing SLSA provenance verification for all Docker images built in the pipeline. This complements our existing cosign SBOM attestations to improve our software supply chain security posture. - Add attestations:write permission to both workflows - Add SLSA provenance attestation for all Docker image tags - Include error handling to make attestation failures non-blocking - Add detailed comments explaining the attestation strategy Change-Id: I06761204cdcd31a0a648acfd057bcd45f55bdc9c Signed-off-by: Thomas Kosiewski --- .github/workflows/ci.yaml | 135 ++++++++++++++++++++++++++++ .github/workflows/release.yaml | 155 +++++++++++++++++++++++++++++++++ 2 files changed, 290 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index a0b288ba2f9c7..9c3e335103771 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1025,7 +1025,10 @@ jobs: packages: write # Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage) # Also necessary for keyless cosign (https://docs.sigstore.dev/cosign/signing/overview/) + # And for GitHub Actions attestation id-token: write + # Required for GitHub Actions attestation + attestations: write env: DOCKER_CLI_EXPERIMENTAL: "enabled" outputs: @@ -1181,6 +1184,138 @@ jobs: done fi + # GitHub attestation provides SLSA provenance for the Docker images, establishing a verifiable + # record that these images were built in GitHub Actions with specific inputs and environment. + # This complements our existing cosign attestations which focus on SBOMs. + # + # We attest each tag separately to ensure all tags have proper provenance records. + # TODO: Consider refactoring these steps to use a matrix strategy or composite action to reduce duplication + # while maintaining the required functionality for each tag. + - name: GitHub Attestation for Docker image + id: attest_main + if: github.ref == 'refs/heads/main' + continue-on-error: true + uses: actions/attest@a63cfcc7d1aab266ee064c58250cfc2c7d07bc31 # v2.2.1 + with: + subject-name: "ghcr.io/coder/coder-preview:main" + predicate-type: "https://slsa.dev/provenance/v1" + predicate: | + { + "buildType": "https://github.com/actions/runner-images/", + "builder": { + "id": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" + }, + "invocation": { + "configSource": { + "uri": "git+https://github.com/${{ github.repository }}@${{ github.ref }}", + "digest": { + "sha1": "${{ github.sha }}" + }, + "entryPoint": ".github/workflows/ci.yaml" + }, + "environment": { + "github_workflow": "${{ github.workflow }}", + "github_run_id": "${{ github.run_id }}" + } + }, + "metadata": { + "buildInvocationID": "${{ github.run_id }}", + "completeness": { + "environment": true, + "materials": true + } + } + } + push-to-registry: true + + - name: GitHub Attestation for Docker image (latest tag) + id: attest_latest + if: github.ref == 'refs/heads/main' + continue-on-error: true + uses: actions/attest@a63cfcc7d1aab266ee064c58250cfc2c7d07bc31 # v2.2.1 + with: + subject-name: "ghcr.io/coder/coder-preview:latest" + predicate-type: "https://slsa.dev/provenance/v1" + predicate: | + { + "buildType": "https://github.com/actions/runner-images/", + "builder": { + "id": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" + }, + "invocation": { + "configSource": { + "uri": "git+https://github.com/${{ github.repository }}@${{ github.ref }}", + "digest": { + "sha1": "${{ github.sha }}" + }, + "entryPoint": ".github/workflows/ci.yaml" + }, + "environment": { + "github_workflow": "${{ github.workflow }}", + "github_run_id": "${{ github.run_id }}" + } + }, + "metadata": { + "buildInvocationID": "${{ github.run_id }}", + "completeness": { + "environment": true, + "materials": true + } + } + } + push-to-registry: true + + - name: GitHub Attestation for version-specific Docker image + id: attest_version + if: github.ref == 'refs/heads/main' + continue-on-error: true + uses: actions/attest@a63cfcc7d1aab266ee064c58250cfc2c7d07bc31 # v2.2.1 + with: + subject-name: "ghcr.io/coder/coder-preview:${{ steps.build-docker.outputs.tag }}" + predicate-type: "https://slsa.dev/provenance/v1" + predicate: | + { + "buildType": "https://github.com/actions/runner-images/", + "builder": { + "id": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" + }, + "invocation": { + "configSource": { + "uri": "git+https://github.com/${{ github.repository }}@${{ github.ref }}", + "digest": { + "sha1": "${{ github.sha }}" + }, + "entryPoint": ".github/workflows/ci.yaml" + }, + "environment": { + "github_workflow": "${{ github.workflow }}", + "github_run_id": "${{ github.run_id }}" + } + }, + "metadata": { + "buildInvocationID": "${{ github.run_id }}", + "completeness": { + "environment": true, + "materials": true + } + } + } + push-to-registry: true + + # Report attestation failures but don't fail the workflow + - name: Check attestation status + if: github.ref == 'refs/heads/main' + run: | + if [[ "${{ steps.attest_main.outcome }}" == "failure" ]]; then + echo "::warning::GitHub attestation for main tag failed" + fi + if [[ "${{ steps.attest_latest.outcome }}" == "failure" ]]; then + echo "::warning::GitHub attestation for latest tag failed" + fi + if [[ "${{ steps.attest_version.outcome }}" == "failure" ]]; then + echo "::warning::GitHub attestation for version-specific tag failed" + fi + - name: Prune old images if: github.ref == 'refs/heads/main' uses: vlaurin/action-ghcr-prune@0cf7d39f88546edd31965acba78cdcb0be14d641 # v0.6.0 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 459f945dbe632..b108409dda96a 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -123,7 +123,10 @@ jobs: packages: write # Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage) # Also necessary for keyless cosign (https://docs.sigstore.dev/cosign/signing/overview/) + # And for GitHub Actions attestation id-token: write + # Required for GitHub Actions attestation + attestations: write env: # Necessary for Docker manifest DOCKER_CLI_EXPERIMENTAL: "enabled" @@ -409,7 +412,52 @@ jobs: echo "$manifests" | grep -q linux/arm64 echo "$manifests" | grep -q linux/arm/v7 + # GitHub attestation provides SLSA provenance for Docker images, establishing a verifiable + # record that these images were built in GitHub Actions with specific inputs and environment. + # This complements our existing cosign attestations (which focus on SBOMs) by adding + # GitHub-specific build provenance to enhance our supply chain security. + # + # TODO: Consider refactoring these attestation steps to use a matrix strategy or composite action + # to reduce duplication while maintaining the required functionality for each distinct image tag. + - name: GitHub Attestation for Base Docker image + id: attest_base + if: ${{ !inputs.dry_run && steps.image-base-tag.outputs.tag != '' }} + continue-on-error: true + uses: actions/attest@a63cfcc7d1aab266ee064c58250cfc2c7d07bc31 # v2.2.1 + with: + subject-name: ${{ steps.image-base-tag.outputs.tag }} + predicate-type: "https://slsa.dev/provenance/v1" + predicate: | + { + "buildType": "https://github.com/actions/runner-images/", + "builder": { + "id": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" + }, + "invocation": { + "configSource": { + "uri": "git+https://github.com/${{ github.repository }}@${{ github.ref }}", + "digest": { + "sha1": "${{ github.sha }}" + }, + "entryPoint": ".github/workflows/release.yaml" + }, + "environment": { + "github_workflow": "${{ github.workflow }}", + "github_run_id": "${{ github.run_id }}" + } + }, + "metadata": { + "buildInvocationID": "${{ github.run_id }}", + "completeness": { + "environment": true, + "materials": true + } + } + } + push-to-registry: true + - name: Build Linux Docker images + id: build_docker run: | set -euxo pipefail @@ -428,18 +476,125 @@ jobs: # being pushed so will automatically push them. make push/build/coder_"$version"_linux.tag + # Save multiarch image tag for attestation + multiarch_image="$(./scripts/image_tag.sh)" + echo "multiarch_image=${multiarch_image}" >> $GITHUB_OUTPUT + + # For debugging, print all docker image tags + docker images + # if the current version is equal to the highest (according to semver) # version in the repo, also create a multi-arch image as ":latest" and # push it + created_latest_tag=false if [[ "$(git tag | grep '^v' | grep -vE '(rc|dev|-|\+|\/)' | sort -r --version-sort | head -n1)" == "v$(./scripts/version.sh)" ]]; then ./scripts/build_docker_multiarch.sh \ --push \ --target "$(./scripts/image_tag.sh --version latest)" \ $(cat build/coder_"$version"_linux_{amd64,arm64,armv7}.tag) + created_latest_tag=true + echo "created_latest_tag=true" >> $GITHUB_OUTPUT + else + echo "created_latest_tag=false" >> $GITHUB_OUTPUT fi env: CODER_BASE_IMAGE_TAG: ${{ steps.image-base-tag.outputs.tag }} + - name: GitHub Attestation for Docker image + id: attest_main + if: ${{ !inputs.dry_run }} + continue-on-error: true + uses: actions/attest@a63cfcc7d1aab266ee064c58250cfc2c7d07bc31 # v2.2.1 + with: + subject-name: ${{ steps.build_docker.outputs.multiarch_image }} + predicate-type: "https://slsa.dev/provenance/v1" + predicate: | + { + "buildType": "https://github.com/actions/runner-images/", + "builder": { + "id": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" + }, + "invocation": { + "configSource": { + "uri": "git+https://github.com/${{ github.repository }}@${{ github.ref }}", + "digest": { + "sha1": "${{ github.sha }}" + }, + "entryPoint": ".github/workflows/release.yaml" + }, + "environment": { + "github_workflow": "${{ github.workflow }}", + "github_run_id": "${{ github.run_id }}" + } + }, + "metadata": { + "buildInvocationID": "${{ github.run_id }}", + "completeness": { + "environment": true, + "materials": true + } + } + } + push-to-registry: true + + # Get the latest tag name for attestation + - name: Get latest tag name + id: latest_tag + if: ${{ !inputs.dry_run && steps.build_docker.outputs.created_latest_tag == 'true' }} + run: echo "tag=$(./scripts/image_tag.sh --version latest)" >> $GITHUB_OUTPUT + + # If this is the highest version according to semver, also attest the "latest" tag + - name: GitHub Attestation for "latest" Docker image + id: attest_latest + if: ${{ !inputs.dry_run && steps.build_docker.outputs.created_latest_tag == 'true' }} + continue-on-error: true + uses: actions/attest@a63cfcc7d1aab266ee064c58250cfc2c7d07bc31 # v2.2.1 + with: + subject-name: ${{ steps.latest_tag.outputs.tag }} + predicate-type: "https://slsa.dev/provenance/v1" + predicate: | + { + "buildType": "https://github.com/actions/runner-images/", + "builder": { + "id": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" + }, + "invocation": { + "configSource": { + "uri": "git+https://github.com/${{ github.repository }}@${{ github.ref }}", + "digest": { + "sha1": "${{ github.sha }}" + }, + "entryPoint": ".github/workflows/release.yaml" + }, + "environment": { + "github_workflow": "${{ github.workflow }}", + "github_run_id": "${{ github.run_id }}" + } + }, + "metadata": { + "buildInvocationID": "${{ github.run_id }}", + "completeness": { + "environment": true, + "materials": true + } + } + } + push-to-registry: true + + # Report attestation failures but don't fail the workflow + - name: Check attestation status + if: ${{ !inputs.dry_run }} + run: | + if [[ "${{ steps.attest_base.outcome }}" == "failure" && "${{ steps.attest_base.conclusion }}" != "skipped" ]]; then + echo "::warning::GitHub attestation for base image failed" + fi + if [[ "${{ steps.attest_main.outcome }}" == "failure" ]]; then + echo "::warning::GitHub attestation for main image failed" + fi + if [[ "${{ steps.attest_latest.outcome }}" == "failure" && "${{ steps.attest_latest.conclusion }}" != "skipped" ]]; then + echo "::warning::GitHub attestation for latest image failed" + fi + - name: Generate offline docs run: | version="$(./scripts/version.sh)" From 4f7f38b41b76af398c5b5aaa390490fee9e15579 Mon Sep 17 00:00:00 2001 From: Thomas Kosiewski Date: Thu, 13 Mar 2025 12:57:45 +0100 Subject: [PATCH 5/5] fix: add missing && operator in dogfood Dockerfile The installation of Syft and Cosign in the dogfood Dockerfile was missing an && operator between commands, causing the build to fail. This commit adds the missing operator to ensure proper command chaining. Change-Id: I540258ed9638581d7ee704915a2f261d0aed7beb Signed-off-by: Thomas Kosiewski --- dogfood/coder/Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dogfood/coder/Dockerfile b/dogfood/coder/Dockerfile index 4cf8044977a33..f10c18fbd9809 100644 --- a/dogfood/coder/Dockerfile +++ b/dogfood/coder/Dockerfile @@ -9,7 +9,7 @@ RUN cargo install exa bat ripgrep typos-cli watchexec-cli && \ FROM ubuntu:jammy@sha256:0e5e4a57c2499249aafc3b40fcd541e9a456aab7296681a3994d631587203f97 AS go # Install Go manually, so that we can control the version -ARG GO_VERSION=1.22.8 +ARG GO_VERSION=1.24.1 # Boring Go is needed to build FIPS-compliant binaries. RUN apt-get update && \ @@ -320,8 +320,8 @@ RUN curl --silent --show-error --location --output /usr/local/bin/cloud_sql_prox curl --silent --show-error --location "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" | \ tar --extract --gzip --directory=/usr/local/bin --file=- trivy && \ # Anchore Syft for SBOM generation - curl --silent --show-error --location "https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux-amd64.tar.gz" | \ - tar --extract --gzip --directory=/usr/local/bin --file=- syft \ + curl --silent --show-error --location "https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.tar.gz" | \ + tar --extract --gzip --directory=/usr/local/bin --file=- syft && \ # Sigstore Cosign for artifact signing and attestation curl --silent --show-error --location --output /usr/local/bin/cosign "https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64" && \ chmod a=rx /usr/local/bin/cosign