security: verify docs-builder :edge attestation in consumer workflows#160
Draft
cotti wants to merge 7 commits into
Draft
security: verify docs-builder :edge attestation in consumer workflows#160cotti wants to merge 7 commits into
cotti wants to merge 7 commits into
Conversation
Add `gh attestation verify` to both consumer paths that pull `ghcr.io/elastic/docs-builder:edge`: - `.github/workflows/docs-deploy.yml` (Pull and pin docs-builder image) - `docs-builder/setup/action.yml` (edge branch) Both already resolve :edge to an immutable RepoDigest. They now also verify the SLSA build-provenance attestation minted by docs-builder's prerelease.yml (elastic/docs-eng-team#518), constraining the attestation issuer to `elastic/docs-builder` via `-R` so an attacker cannot self-sign under their own repo and have it accepted. Depends on the producer side shipping in elastic/docs-builder first and at least one signed :edge push existing in the registry; the verify call fails closed otherwise. Co-authored-by: Cursor <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Consumer-side follow-up to #159 (
fix/hardening-batch) that closes theloop on #518.
After #159, both consumer paths that pull
ghcr.io/elastic/docs-builder:edgealready resolve the mutable tag to an immutable
RepoDigest. This PRadds the missing step: verifying the SLSA build-provenance attestation
that docs-builder's
prerelease.ymlmints on every push, so we don'tjust trust that a digest is stable but also who signed it.
Issue addressed
.github/workflows/docs-deploy.yml(Pull and pin docs-builder image) anddocs-builder/setup/action.yml(edge branch) now rungh attestation verify oci://${DIGEST} -R elastic/docs-builderbetween the digest resolution and any further use of the image.-R elastic/docs-builderconstrains the attestation issuer so an attacker cannot publish a self-signed attestation under their own repo and have it accepted. Fails closed if the attestation is missing, malformed, or signed by an unexpected workflow.Commits
0acc418Verify docs-builder :edge attestation before useDo not merge this PR until both of the following have happened:
security/output-sanitizer) has merged.prerelease.ymlrun on docs-buildermainhas completed successfully and pushed a new:edgedigest with its attestation toghcr.io/elastic/docs-builder.If merged earlier, every
docs-deploy.ymlrun on every consumer repo will fail at the verify step because no signed:edgedigest exists yet. That's the intended fail-closed behaviour, but it would break deploys repo-wide.This PR is kept in draft until that prerequisite is met. Convert to ready once a successful signed prerelease run is observable.
Test plan
:edgeexists, rungh attestation verify oci://ghcr.io/elastic/docs-builder@<latest-edge-digest> -R elastic/docs-builderlocally — should succeed.Pull and pin docs-builder imagestep shows successful verification before container run.EDGE_IMAGEat a fork-built unsigned image (in a scratch branch) — verify the step fails closed with a clear error.Made with Cursor