Skip to content

stable-20260702: Stable

Choose a tag to compare

@github-actions github-actions released this 02 Jul 10:13
290ad88

Variants promoted

Variant Tag Digest
bluefin :stable sha256:659263e72c5a
bluefin-nvidia :stable sha256:6e16ea031659

Variants promoted

Variant Tag Digest
bluefin :stable sha256:88300491b3d7
bluefin-nvidia :stable sha256:a7c350593dd4

Release card

no package changes since the previous release. 0 packages total.

Desktop Screenshot

Bluefin desktop — stable-20260702

Captured from bluefin:testing during automated e2e validation — testsuite

Supply chain verification

Supply chain

This image is signed, attested, and ships a full SPDX-JSON SBOM.
Every artifact below is verifiable without trusting this release page.

Tools required — install via Homebrew or see links in each section:

brew install cosign oras slsa-verifier

1 — Verify the image signature

cosign (Sigstore) verifies the keyless
OIDC signature created by GitHub Actions at build time.

cosign verify \
  --certificate-identity-regexp '^https://github\.com/projectbluefin/(bluefin|actions)/\.github/workflows/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  ghcr.io/projectbluefin/bluefin@sha256:88300491b3d7620b42cba313ecc1ce529b5ed155aa11865b265afb3098d9f88e

A valid response lists the certificate subject and OIDC issuer. Any tampered
image will produce a verification error.


2 — Fetch and inspect the SBOM

The SBOM (SPDX 2.3 JSON) is attached to the image as an
OCI referrer using
ORAS (CNCF graduated project).

# Discover the attached SBOM referrer
oras discover \
  --artifact-type application/vnd.spdx+json \
  ghcr.io/projectbluefin/bluefin@sha256:88300491b3d7620b42cba313ecc1ce529b5ed155aa11865b265afb3098d9f88e

# Pull the SBOM to disk (replace SBOM_DIGEST with the digest from above)
oras pull \
  --artifact-type application/vnd.spdx+json \
  ghcr.io/projectbluefin/bluefin@<SBOM_DIGEST>

The SBOM is also attached to this release as
bluefin.spdx.json.


3 — Verify the SBOM attestation

The SBOM is also stored as a signed
GitHub SBOM attestation
in the Sigstore transparency log.

cosign verify-attestation \
  --type https://spdx.dev/Document \
  --certificate-identity-regexp '^https://github\.com/projectbluefin/(bluefin|actions)/\.github/workflows/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  ghcr.io/projectbluefin/bluefin@sha256:88300491b3d7620b42cba313ecc1ce529b5ed155aa11865b265afb3098d9f88e \
  | jq -r '.payload | @base64d | fromjson | .predicate.name'

4 — Verify SLSA Build L2 provenance

slsa-verifier (OpenSSF)
checks that this image was built by the expected workflow on the expected
source repository — not on a developer's laptop or a forked CI runner.

slsa-verifier verify-image \
  ghcr.io/projectbluefin/bluefin@sha256:88300491b3d7620b42cba313ecc1ce529b5ed155aa11865b265afb3098d9f88e \
  --source-uri 'github.com/projectbluefin/bluefin' \
  --source-versioned-tag 'stable-20260702'

You can also inspect the raw provenance:

cosign verify-attestation \
  --type slsaprovenance1 \
  --certificate-identity-regexp '^https://github\.com/projectbluefin/(bluefin|actions)/\.github/workflows/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  ghcr.io/projectbluefin/bluefin@sha256:88300491b3d7620b42cba313ecc1ce529b5ed155aa11865b265afb3098d9f88e \
  | jq -r '.payload | @base64d | fromjson | .predicate'

Full changelog and verification guide → https://docs.projectbluefin.io/changelogs

Full changelog → https://docs.projectbluefin.io/changelogs