stable-20260702: Stable
Variants promoted
| Variant | Tag | Digest |
|---|---|---|
bluefin |
:stable |
sha256:659263e72c5a |
bluefin-nvidia |
:stable |
sha256:6e16ea031659 |
Variants promoted
| Variant | Tag | Digest |
|---|---|---|
bluefin |
:stable |
sha256:88300491b3d7 |
bluefin-nvidia |
:stable |
sha256:a7c350593dd4 |
no package changes since the previous release. 0 packages total.
Desktop Screenshot
Captured from bluefin:testing during automated e2e validation — testsuite
Supply chain verification
Supply chain
This image is signed, attested, and ships a full SPDX-JSON SBOM.
Every artifact below is verifiable without trusting this release page.
Tools required — install via Homebrew or see links in each section:
brew install cosign oras slsa-verifier1 — Verify the image signature
cosign (Sigstore) verifies the keyless
OIDC signature created by GitHub Actions at build time.
cosign verify \
--certificate-identity-regexp '^https://github\.com/projectbluefin/(bluefin|actions)/\.github/workflows/' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
ghcr.io/projectbluefin/bluefin@sha256:88300491b3d7620b42cba313ecc1ce529b5ed155aa11865b265afb3098d9f88eA valid response lists the certificate subject and OIDC issuer. Any tampered
image will produce a verification error.
2 — Fetch and inspect the SBOM
The SBOM (SPDX 2.3 JSON) is attached to the image as an
OCI referrer using
ORAS (CNCF graduated project).
# Discover the attached SBOM referrer
oras discover \
--artifact-type application/vnd.spdx+json \
ghcr.io/projectbluefin/bluefin@sha256:88300491b3d7620b42cba313ecc1ce529b5ed155aa11865b265afb3098d9f88e
# Pull the SBOM to disk (replace SBOM_DIGEST with the digest from above)
oras pull \
--artifact-type application/vnd.spdx+json \
ghcr.io/projectbluefin/bluefin@<SBOM_DIGEST>The SBOM is also attached to this release as
bluefin.spdx.json.
3 — Verify the SBOM attestation
The SBOM is also stored as a signed
GitHub SBOM attestation
in the Sigstore transparency log.
cosign verify-attestation \
--type https://spdx.dev/Document \
--certificate-identity-regexp '^https://github\.com/projectbluefin/(bluefin|actions)/\.github/workflows/' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
ghcr.io/projectbluefin/bluefin@sha256:88300491b3d7620b42cba313ecc1ce529b5ed155aa11865b265afb3098d9f88e \
| jq -r '.payload | @base64d | fromjson | .predicate.name'4 — Verify SLSA Build L2 provenance
slsa-verifier (OpenSSF)
checks that this image was built by the expected workflow on the expected
source repository — not on a developer's laptop or a forked CI runner.
slsa-verifier verify-image \
ghcr.io/projectbluefin/bluefin@sha256:88300491b3d7620b42cba313ecc1ce529b5ed155aa11865b265afb3098d9f88e \
--source-uri 'github.com/projectbluefin/bluefin' \
--source-versioned-tag 'stable-20260702'You can also inspect the raw provenance:
cosign verify-attestation \
--type slsaprovenance1 \
--certificate-identity-regexp '^https://github\.com/projectbluefin/(bluefin|actions)/\.github/workflows/' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
ghcr.io/projectbluefin/bluefin@sha256:88300491b3d7620b42cba313ecc1ce529b5ed155aa11865b265afb3098d9f88e \
| jq -r '.payload | @base64d | fromjson | .predicate'Full changelog and verification guide → https://docs.projectbluefin.io/changelogs
Full changelog → https://docs.projectbluefin.io/changelogs

