Skip to content

stable-20260616: Stable

Choose a tag to compare

View all tags
@github-actions github-actions released this 16 Jun 22:33
· 23 commits to main since this release
stable-20260616
b073dd4

Release card

0 packages in this image. No previous release baseline β€” full inventory below.

πŸ“¦ Full SPDX package inventory β€” 0 packages
Package Version

Supply chain

This image is signed, attested, and ships a full SPDX-JSON SBOM.
Every artifact below is verifiable without trusting this release page.

Tools required β€” install via Homebrew or see links in each section:

brew install cosign oras slsa-verifier

1 β€” Verify the image signature

cosign (Sigstore) verifies the keyless
OIDC signature created by GitHub Actions at build time.

cosign verify \
  --certificate-identity-regexp '^https://github\.com/projectbluefin/(bluefin|actions)/\.github/workflows/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  ghcr.io/projectbluefin/bluefin@sha256:480293a5465195b3d17d5917d1bc26cd06cd13085c25013a8bf7418772ac0160

A valid response lists the certificate subject and OIDC issuer. Any tampered
image will produce a verification error.

2 β€” Fetch and inspect the SBOM

The SBOM (SPDX 2.3 JSON) is attached to the image as an
OCI referrer using
ORAS (CNCF graduated project).

# Discover the attached SBOM referrer
oras discover \
  --artifact-type application/vnd.spdx+json \
  ghcr.io/projectbluefin/bluefin@sha256:480293a5465195b3d17d5917d1bc26cd06cd13085c25013a8bf7418772ac0160

# Pull the SBOM to disk (replace SBOM_DIGEST with the digest from above)
oras pull \
  --artifact-type application/vnd.spdx+json \
  ghcr.io/projectbluefin/bluefin@<SBOM_DIGEST>

The SBOM is also attached to this release as
bluefin.spdx.json.

3 β€” Verify the SBOM attestation

The SBOM is also stored as a signed
GitHub SBOM attestation
in the Sigstore transparency log.

cosign verify-attestation \
  --type https://spdx.dev/Document \
  --certificate-identity-regexp '^https://github\.com/projectbluefin/(bluefin|actions)/\.github/workflows/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  ghcr.io/projectbluefin/bluefin@sha256:480293a5465195b3d17d5917d1bc26cd06cd13085c25013a8bf7418772ac0160 \
  | jq -r '.payload | @base64d | fromjson | .predicate.name'

4 β€” Verify SLSA Build L2 provenance

slsa-verifier (OpenSSF)
checks that this image was built by the expected workflow on the expected
source repository β€” not on a developer's laptop or a forked CI runner.

slsa-verifier verify-image \
  ghcr.io/projectbluefin/bluefin@sha256:480293a5465195b3d17d5917d1bc26cd06cd13085c25013a8bf7418772ac0160 \
  --source-uri 'github.com/projectbluefin/bluefin' \
  --source-versioned-tag 'stable-20260616'

You can also inspect the raw provenance:

cosign verify-attestation \
  --type slsaprovenance1 \
  --certificate-identity-regexp '^https://github\.com/projectbluefin/(bluefin|actions)/\.github/workflows/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  ghcr.io/projectbluefin/bluefin@sha256:480293a5465195b3d17d5917d1bc26cd06cd13085c25013a8bf7418772ac0160 \
  | jq -r '.payload | @base64d | fromjson | .predicate'

Full changelog and verification guide β†’ https://docs.projectbluefin.io/changelogs

Assets 5
Loading