Dockerfile workflow

[ianlewis]

We can provide a builder which builds a Docker image based on a Dockerfile as the build artifact and generate SLSA provenance for it.

[ianlewis]

A good point of comparison would be the docker actions for building and pushing images. They use buildx in their case and support building for different architectures using qemu.
https://github.com/marketplace/actions/build-and-push-docker-images

[chipzoller]

Generating a provenance based off a Dockerfile is a great start. You may also want to see how the same could be done for builds using tools like ko and buildpacks. These are both very popular alternatives to managing Dockerfiles.

[ianlewis]

For sure. I think @laurentsimon shared https://github.com/laurentsimon/slsa-github-generator-ko with you on slack maybe, but the idea is we will eventually merge that workflow here as well.

Buildpacks is a good idea but I think getting provenance generation for simple Dockerfiles working is probably a higher priority for now. We're happy to take issues and contributions if folks want to take on specific workflows or features.

[tahirraza]

This sounds like it can be a very useful workflow. Any progress on it? Doesn't look like it has been picked yet.

[rbehjati]

This sounds like it can be a very useful workflow. Any progress on it? Doesn't look like it has been picked yet.

Here is the top-level tracking issue: project-oak/transparent-release#145
We hope to have an initial version by the end of Q4'22.

[raoganeshr]

Is this done?

[laurentsimon]

It is not. @ianlewis started it but it's not complete yet. Maybe in the meantime you could use:

• https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/docker. You create an image as a dockerfile and use that to build your artifact. See https://slsa.dev/blog/2023/06/slsa-github-worfklows-container-based
• https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container build the docker image yourself and get an attestation for it