Skip to content

ci: sign published images (cosign) + attest SLSA build provenance#40

Merged
imran-siddique merged 1 commit into
mainfrom
ci/sign-and-attest-images
Jul 6, 2026
Merged

ci: sign published images (cosign) + attest SLSA build provenance#40
imran-siddique merged 1 commit into
mainfrom
ci/sign-and-attest-images

Conversation

@imran-siddique

Copy link
Copy Markdown
Contributor

The Docker publish workflow pushed the release image to ghcr.io with no signature and no provenance. This adds supply-chain attestation to the published image:

  • Keyless cosign signing of the pushed image by digest (Sigstore / Fulcio / Rekor via GitHub OIDC, no long-lived keys).
  • SLSA build provenance via actions/attest-build-provenance, pushed to the registry as an attestation.

Adds id-token: write + attestations: write permissions and signs the immutable digest (not the mutable tag). Consumers can verify with cosign verify / gh attestation verify.

Note: the new actions use major-version tags to match this workflow's existing convention (@v7, @v4); pinning all actions to commit SHAs is a repo-wide follow-up.

Closes part of the agentrust-io supply-chain hardening (catalog Appendix B, "artifact signing / SLSA provenance").

🤖 Generated with Claude Code

…enance

Images pushed to ghcr.io were unsigned with no provenance. Add keyless cosign
signing of the pushed image by digest (OIDC, no keys) and an
actions/attest-build-provenance SLSA provenance attestation pushed to the registry.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@imran-siddique imran-siddique merged commit c093a9b into main Jul 6, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant