Skip to content

ci: attach an SBOM attestation to published images#707

Merged
rmyndharis merged 1 commit into
mainfrom
ci/sbom-attestation
Jul 12, 2026
Merged

ci: attach an SBOM attestation to published images#707
rmyndharis merged 1 commit into
mainfrom
ci/sbom-attestation

Conversation

@rmyndharis

Copy link
Copy Markdown
Owner

What

Add sbom: true (and pin provenance: true) to the docker/build-push-action step in both ci.yml and release.yml.

Why — and a correction

I previously claimed the published images had no provenance or SBOM. That was half wrong. Inspecting the published image (docker buildx imagetools inspect ghcr.io/rmyndharis/openwa:0.8.16) shows each platform already carries an attestation-manifest with predicateType https://slsa.dev/provenance/v1build-push-action@v7 defaults provenance: true. So provenance was already present. The real gap is SBOM (sbom: is opt-in and was unset). This adds it.

Effect

Every image built by CI (PR/branch) and on release now carries an in-toto SBOM attestation alongside the existing SLSA provenance, verifiable via docker buildx imagetools inspect. provenance: true is now explicit rather than relying on the action default.

Caveat

The release.yml job runs on tag push only; the ci.yml docker job runs on PRs, so PR CI will exercise sbom: true and confirm the SBOM builds cleanly before this merges.

Each image built by CI and on release now carries an in-toto SBOM attestation
alongside the SLSA provenance docker/build-push-action already generates by
default (provenance was on but implicit; pin it explicitly so the
attestation pair is self-documenting). Both are verifiable via
`docker buildx imagetools inspect ghcr.io/rmyndharis/openwa:<tag>`.
@rmyndharis rmyndharis merged commit d87d76c into main Jul 12, 2026
6 checks passed
@rmyndharis rmyndharis deleted the ci/sbom-attestation branch July 12, 2026 08:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant