Skip to content

feat(ci): add SLSA build provenance attestation to Docker builds#147

Open
nexus49 wants to merge 2 commits intomainfrom
feat/add-build-provenance-attestation
Open

feat(ci): add SLSA build provenance attestation to Docker builds#147
nexus49 wants to merge 2 commits intomainfrom
feat/add-build-provenance-attestation

Conversation

@nexus49
Copy link
Copy Markdown
Contributor

@nexus49 nexus49 commented Apr 11, 2026

Summary

  • Adds actions/attest-build-provenance@v4 to the shared job-docker-build-push.yml reusable workflow
  • Produces SLSA-compatible build provenance attestations for all container images pushed to GHCR
  • Attestation is pushed alongside the image via the OCI referrers API, making it discoverable by policy engines (Kyverno, Gatekeeper, Ratify) and gh attestation verify
  • Uses continue-on-error: true so existing caller pipelines that haven't added attestations: write yet won't break

Follow-up required

Caller workflows (all operator/service pipelines) need to add attestations: write to their top-level permissions block for the attestation to succeed. Without it, the step will soft-fail and the image is still built, signed, and pushed as before.

Example change in caller pipelines:

permissions:
  contents: write
  id-token: write
  issues: write
  packages: write
  pull-requests: write
  attestations: write  # ← add this

Verification

After a caller adds attestations: write and merges a build:

gh attestation verify oci://ghcr.io/platform-mesh/<repo>/<image>:<tag> --owner platform-mesh

Ref: platform-mesh/backlog#229

@nexus49 @SAP
feat(ci): add SLSA build provenance attestation to Docker image builds
8ecdad5 
Add actions/attest-build-provenance step to the shared Docker build
workflow, producing SLSA-compatible provenance for all container images
pushed to GHCR. Uses continue-on-error since caller workflows need to
add attestations:write permission to fully enable this.

Ref: platform-mesh/backlog#229

Signed-off-by: Bastian Echterhölter <bastian.echterhoelter@sap.com>
On-behalf-of: @SAP <bastian.echterhoelter@sap.com>
@nexus49 nexus49 requested review from a team as code owners April 11, 2026 10:14
This was referenced Apr 11, 2026
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
@nexus49 @SAP
chore: remove continue-on-error from attestation step
b3b858c 
Caller workflows will have attestations:write before this lands.

Signed-off-by: Bastian Echterhölter <bastian.echterhoelter@sap.com>
On-behalf-of: @SAP <bastian.echterhoelter@sap.com>
@nexus49 nexus49 mentioned this pull request Apr 11, 2026
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nexus49