stable-20260703: Stable
Variants promoted
| Variant | Tag | Digest |
|---|---|---|
bluefin |
:stable |
sha256:28dd0c9cadfb |
bluefin-nvidia |
:stable |
sha256:4c09e1ee31bd |
Variants promoted
| Variant | Tag | Digest |
|---|---|---|
bluefin |
:stable |
sha256:0955fb97507e |
bluefin-nvidia |
:stable |
sha256:46bab93a33bd |
no package changes since the previous release. 0 packages total.
Desktop Screenshot
Captured from bluefin:testing during automated e2e validation — testsuite
Supply chain verification
Supply chain
This image is signed, attested, and ships a full SPDX-JSON SBOM.
Every artifact below is verifiable without trusting this release page.
Tools required — install via Homebrew or see links in each section:
brew install cosign oras slsa-verifier1 — Verify the image signature
cosign (Sigstore) verifies the keyless
OIDC signature created by GitHub Actions at build time.
cosign verify \
--certificate-identity-regexp '^https://github\.com/projectbluefin/(bluefin|actions)/\.github/workflows/' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
ghcr.io/projectbluefin/bluefin@sha256:0955fb97507e84ec82bfdbf040384b5f3c56a7a693855077e7d77161809e0634A valid response lists the certificate subject and OIDC issuer. Any tampered
image will produce a verification error.
2 — Fetch and inspect the SBOM
The SBOM (SPDX 2.3 JSON) is attached to the image as an
OCI referrer using
ORAS (CNCF graduated project).
# Discover the attached SBOM referrer
oras discover \
--artifact-type application/vnd.spdx+json \
ghcr.io/projectbluefin/bluefin@sha256:0955fb97507e84ec82bfdbf040384b5f3c56a7a693855077e7d77161809e0634
# Pull the SBOM to disk (replace SBOM_DIGEST with the digest from above)
oras pull \
--artifact-type application/vnd.spdx+json \
ghcr.io/projectbluefin/bluefin@<SBOM_DIGEST>The SBOM is also attached to this release as
bluefin.spdx.json.
3 — Verify the SBOM attestation
The SBOM is also stored as a signed
GitHub SBOM attestation
in the Sigstore transparency log.
cosign verify-attestation \
--type https://spdx.dev/Document \
--certificate-identity-regexp '^https://github\.com/projectbluefin/(bluefin|actions)/\.github/workflows/' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
ghcr.io/projectbluefin/bluefin@sha256:0955fb97507e84ec82bfdbf040384b5f3c56a7a693855077e7d77161809e0634 \
| jq -r '.payload | @base64d | fromjson | .predicate.name'4 — Verify SLSA Build L2 provenance
slsa-verifier (OpenSSF)
checks that this image was built by the expected workflow on the expected
source repository — not on a developer's laptop or a forked CI runner.
slsa-verifier verify-image \
ghcr.io/projectbluefin/bluefin@sha256:0955fb97507e84ec82bfdbf040384b5f3c56a7a693855077e7d77161809e0634 \
--source-uri 'github.com/projectbluefin/bluefin' \
--source-versioned-tag 'stable-20260703'You can also inspect the raw provenance:
cosign verify-attestation \
--type slsaprovenance1 \
--certificate-identity-regexp '^https://github\.com/projectbluefin/(bluefin|actions)/\.github/workflows/' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
ghcr.io/projectbluefin/bluefin@sha256:0955fb97507e84ec82bfdbf040384b5f3c56a7a693855077e7d77161809e0634 \
| jq -r '.payload | @base64d | fromjson | .predicate'Full changelog and verification guide → https://docs.projectbluefin.io/changelogs
Full changelog → https://docs.projectbluefin.io/changelogs

