Skip to content

feat(publish-image-index-manifest): Expose image index manifest digest#113

Merged
dervoeti merged 2 commits into
mainfrom
feat/slsa-provenance-index-digest
Jun 26, 2026
Merged

feat(publish-image-index-manifest): Expose image index manifest digest#113
dervoeti merged 2 commits into
mainfrom
feat/slsa-provenance-index-digest

Conversation

@dervoeti

Copy link
Copy Markdown
Member

This is needed to generate SLSA provenance for our images (= signed attestations attached to an image / index manifest that prove when and how the image was built).

Add an image-index-manifest-digest output to the publish-image-index-manifest action so the digest of the pushed multi-arch index can be fed into SLSA provenance generation.

The digest is now computed right after docker manifest push in the create-index step and reused by the sign step instead of being recomputed.

Optional extra information:
I added SLSA provenance to our fork of SecObserve already in a similar fashion, here is the workflow run:
https://github.com/stackabletech/SecObserve/actions/runs/28184881580

Here is an example of how to manually inspect the SLSA provenance attestation for an image:

cosign download attestation oci.stackable.tech/stackable/secobserve-backend@sha256:f86020f9a9cc94e9481c94920b46acbf141f809928f6ade07a59
de8a844526f3 | jq -r '.payload' | base64 -d | jq 'select(.predicateType=="https://slsa.dev/provenance/v0.2") | .predicate.invocation'

Or using slsa-verifier:

slsa-verifier verify-image oci.stackable.tech/stackable/secobserve-backend@sha256:f86020f9a9cc94e9481c94920b46acbf141f809928f6ade07a59de8a844526f3 --source-uri github.com/stackabletech/SecObserve

It's basically a signed JSON document that provides a ton of metadata about the image build. The attestation is done by an isolated job that runs https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/generator_container_slsa3.yml, so it's an independent "witness" that can't be manipulated (this means we achieve SLSA level 3). Luckily it's pretty easy to do since we use GitHub actions.

@dervoeti dervoeti changed the title feat(publish-image-index-manifest): expose image index manifest digest feat(publish-image-index-manifest): Expose image index manifest digest Jun 26, 2026
@dervoeti dervoeti self-assigned this Jun 26, 2026
@dervoeti dervoeti moved this to Development: Waiting for Review in Stackable Engineering Jun 26, 2026

@NickLarsenNZ NickLarsenNZ left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dervoeti
dervoeti merged commit 1a0aa5b into main Jun 26, 2026
2 checks passed
@dervoeti
dervoeti deleted the feat/slsa-provenance-index-digest branch June 26, 2026 14:31
@Techassi Techassi moved this from Development: Waiting for Review to Development: Done in Stackable Engineering Jun 29, 2026
@lfrancke lfrancke moved this from Development: Done to Done in Stackable Engineering Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Development

Successfully merging this pull request may close these issues.

4 participants