Skip to content

ci: attach SLSA build provenance to the application images (#110)#114

Merged
toddysm merged 1 commit into
mainfrom
feature/image-provenance
Jul 1, 2026
Merged

ci: attach SLSA build provenance to the application images (#110)#114
toddysm merged 1 commit into
mainfrom
feature/image-provenance

Conversation

@toddysm

@toddysm toddysm commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Implements #110 (tracked by #111) — the final item.

Enables build provenance in the build / cssc-dashboard workflow (docker buildx build --provenance=mode=max): each application image gets a SLSA build-provenance attestation per platform, attached as an OCI referrer, recording the builder, source repo + revision, materials (incl. base image digest), and build parameters.

actionlint clean.

Enable buildx provenance (--provenance=mode=max) so each app image carries a
SLSA build-provenance attestation per platform as an OCI referrer (builder,
source, revision, materials incl. base digest). Documents retrieval in
image-attestations.md. Closes #110.
Copilot AI review requested due to automatic review settings July 1, 2026 03:28

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request enables SLSA-style build provenance attestations for the CSSC Dashboard application images built in GitHub Actions, attaching per-platform provenance as OCI referrers alongside the existing multi-arch OCI images, annotations, and SBOMs. It also documents how to inspect the provenance data.

Changes:

  • Enable BuildKit provenance generation in the build / cssc-dashboard workflow via docker buildx build --provenance=mode=max.
  • Extend the image attestations reference docs with a new Provenance section and retrieval example.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
docs/reference/image-attestations.md Documents provenance attestations and how to retrieve/inspect them with buildx imagetools inspect.
.github/workflows/build-cssc-dashboard.yml Switches buildx from --provenance=false to --provenance=mode=max and updates workflow messaging accordingly.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@toddysm toddysm merged commit 0d42a72 into main Jul 1, 2026
4 checks passed
@toddysm toddysm deleted the feature/image-provenance branch July 1, 2026 03:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants