Skip to content

stable-20260623: Stable

Choose a tag to compare

View all tags
@github-actions github-actions released this 23 Jun 23:39
· 5 commits to main since this release
stable-20260623
0c41935
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Variants promoted

Variant Tag Digest
bluefin :stable sha256:3655e13bd2e0
bluefin-nvidia :stable sha256:00fc44fdbb90

Release card

Desktop Screenshot

Captured automatically after e2e validation.

stable-20260623

0 packages in this image. No previous release baseline — full inventory below.

📦 Full SPDX package inventory — 0 packages
Package Version

Supply chain

This image is signed, attested, and ships a full SPDX-JSON SBOM.
Every artifact below is verifiable without trusting this release page.

Tools required — install via Homebrew or see links in each section:

brew install cosign oras slsa-verifier

1 — Verify the image signature

cosign (Sigstore) verifies the keyless
OIDC signature created by GitHub Actions at build time.

cosign verify \
  --certificate-identity-regexp '^https://github\.com/projectbluefin/(bluefin|actions)/\.github/workflows/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  ghcr.io/projectbluefin/bluefin@sha256:3655e13bd2e06a212b4284b57cbc22e95e879f4fee115bdcb9059d319408233c

A valid response lists the certificate subject and OIDC issuer. Any tampered
image will produce a verification error.

2 — Fetch and inspect the SBOM

The SBOM (SPDX 2.3 JSON) is attached to the image as an
OCI referrer using
ORAS (CNCF graduated project).

# Discover the attached SBOM referrer
oras discover \
  --artifact-type application/vnd.spdx+json \
  ghcr.io/projectbluefin/bluefin@sha256:3655e13bd2e06a212b4284b57cbc22e95e879f4fee115bdcb9059d319408233c

# Pull the SBOM to disk (replace SBOM_DIGEST with the digest from above)
oras pull \
  --artifact-type application/vnd.spdx+json \
  ghcr.io/projectbluefin/bluefin@<SBOM_DIGEST>

The SBOM is also attached to this release as
bluefin.spdx.json.

3 — Verify the SBOM attestation

The SBOM is also stored as a signed
GitHub SBOM attestation
in the Sigstore transparency log.

cosign verify-attestation \
  --type https://spdx.dev/Document \
  --certificate-identity-regexp '^https://github\.com/projectbluefin/(bluefin|actions)/\.github/workflows/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  ghcr.io/projectbluefin/bluefin@sha256:3655e13bd2e06a212b4284b57cbc22e95e879f4fee115bdcb9059d319408233c \
  | jq -r '.payload | @base64d | fromjson | .predicate.name'

4 — Verify SLSA Build L2 provenance

slsa-verifier (OpenSSF)
checks that this image was built by the expected workflow on the expected
source repository — not on a developer's laptop or a forked CI runner.

slsa-verifier verify-image \
  ghcr.io/projectbluefin/bluefin@sha256:3655e13bd2e06a212b4284b57cbc22e95e879f4fee115bdcb9059d319408233c \
  --source-uri 'github.com/projectbluefin/bluefin' \
  --source-versioned-tag 'stable-20260623'

You can also inspect the raw provenance:

cosign verify-attestation \
  --type slsaprovenance1 \
  --certificate-identity-regexp '^https://github\.com/projectbluefin/(bluefin|actions)/\.github/workflows/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  ghcr.io/projectbluefin/bluefin@sha256:3655e13bd2e06a212b4284b57cbc22e95e879f4fee115bdcb9059d319408233c \
  | jq -r '.payload | @base64d | fromjson | .predicate'

Full changelog and verification guide → https://docs.projectbluefin.io/changelogs

Assets 5
Loading