Added a shared action to build and scan an image#2
Merged
Conversation
Contributor
Author
|
Merging as can't test it on a branch. Only an added file, so no impact on existing workflows or actions |
BehnamMozafari
added a commit
that referenced
this pull request
May 8, 2026
Addresses jon8787's review comments on PR #228: - #2 verify step: attest_image now calls 'gh attestation verify' immediately after signing so misconfigured signatures fail at build time, not consumer pull time. - #3 case sensitivity: lowercase the image ref once and reuse it for both signing and verifying. actions/attest@v4 already lowercases subject-name internally when push-to-registry is true (verified at the pinned commit 59d8942 in src/main.ts and src/subject.ts), but 'gh attestation verify' does NOT lowercase the OCI URI we pass it; doing it ourselves keeps the signed name and the verified URI byte-identical. - #4 NODE_OPTIONS comment: brief comment explaining why we mirror actions/attest-build-provenance's defensive HTTP header bump. - #5 extract: pulled the attest+verify pair into a single composite action so the Java workflow and the non-Java composite action share one implementation. Adds .github/workflows/test-attest-image.yaml: a manually-dispatched smoke test that builds a throwaway image and exercises the full attest+verify path. Use this whenever attest_image or actions/attest@v4 changes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
BehnamMozafari
added a commit
that referenced
this pull request
May 11, 2026
gh CLI's verifier currently rejects attestation certs chained to GitHub's
internal Sigstore ("GitHub, Inc." CA), which is the path used for private
repos. Tried --no-public-good and --bundle-from-oci; same failure. Signing
and upload work fine (attestation gets to both the GH attestations API and
the OCI registry). External verifiers can still validate the bundle.
Demote to a warning for private repos so publishes don't break. Public
repos (4 of 6 consumers) still hard-fail on verify mismatch as Jon's
review #2 intended.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
BehnamMozafari
added a commit
that referenced
this pull request
May 11, 2026
End-to-end smoke against private UnifiedID2/uid2-test-source surfaced a real gh CLI limitation: attestations signed by GitHub's internal Sigstore instance (used for private repos) fail verification with 'Error: verifying with issuer "GitHub, Inc."'. Tried --no-public-good, --bundle-from-oci, --cert-oidc-issuer combinations; same result. Signing and upload still succeed (bundle lands in both the attestations API and the OCI registry), so external verifiers remain authoritative. Demote the in-CI verify failure to a warning for private repos only; public repos still hard-fail on verify mismatch as Jon's review #2 intended. Evidence: UnifiedID2/uid2-test-source actions run 25643422322 — full shared-publish-to-docker-versioned.yaml chain green (setup → buildx → vulnerability_scan → push → attest_image sign+upload → shared_create_releases draft), attestation signed for ghcr.io/.../uid2-6764-smoke@sha256:05058e77... Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.