diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index a24660b45..1a75604e6 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -20,6 +20,10 @@ jobs: contents: read packages: write + outputs: + image: ${{ steps.image.outputs.image }} + digest: ${{ steps.build-and-push.outputs.digest }} + steps: - name: Checkout repository uses: actions/checkout@v4 @@ -37,6 +41,7 @@ jobs: with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | + type=sha type=ref,event=branch type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} @@ -55,6 +60,7 @@ jobs: if: github.ref != 'refs/heads/master' - name: Build and push Docker image + id: build-and-push uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 with: push: true @@ -64,3 +70,26 @@ jobs: pull: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + + - name: Output image + id: image + run: | + # NOTE: Set the image as an output because the `env` context is not + # available to the inputs of a reusable workflow call. + image_name="${REGISTRY}/${IMAGE_NAME}" + echo "image=$image_name" >> "$GITHUB_OUTPUT" + + provenance: + needs: [build-and-push-image] + permissions: + actions: read # for detecting the Github Actions environment. + id-token: write # for creating OIDC tokens for signing. + packages: write # for uploading attestations. + if: github.repository == 'restic/restic' + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 + with: + image: ${{ needs.build-and-push-image.outputs.image }} + digest: ${{ needs.build-and-push-image.outputs.digest }} + registry-username: ${{ github.actor }} + secrets: + registry-password: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/changelog/unreleased/issue-4983 b/changelog/unreleased/issue-4983 new file mode 100644 index 000000000..e5292cf5c --- /dev/null +++ b/changelog/unreleased/issue-4983 @@ -0,0 +1,8 @@ +Enhancement: add SLSA provenance to the GHCR Container images + +Restic's GitHub Container Registry (GHCR) image build workflow now includes +SLSA provenance generation. This enhancement improves the security and +traceability of images built and pushed to GHCR. + +https://github.com/restic/restic/issues/4983 +https://github.com/restic/restic/pull/4999 \ No newline at end of file diff --git a/doc/developer_information.rst b/doc/developer_information.rst index f0fe28c32..f1eae3a67 100644 --- a/doc/developer_information.rst +++ b/doc/developer_information.rst @@ -113,6 +113,34 @@ The following steps are necessary to build the binaries: restic/builder \ go run helpers/build-release-binaries/main.go --version 0.14.0 --verbose +Verifying SLSA Provenance for Docker Images +******************************************* + +Our Docker images are built with SLSA (Supply-chain Levels for Software Artifacts) +provenance. + +To verify this provenance: + +1. Install the `slsa-verifier` tool from https://github.com/slsa-framework/slsa-verifier + +2. Run the following command: + + .. code-block:: console + + $ slsa-verifier verify-image \ + --source-uri github.com/restic/restic \ + @ + + Replace `` with the Git tag of the release you're verifying, `` + with the full name of the Docker image (including the registry), and `` + with the SHA256 digest of the image. + +3. If the verification is successful, you'll see output indicating that the provenance +is valid. + +This verification ensures that the Docker image was built by our official GitHub +Actions workflow and has not been tampered with since its creation. + Verifying the Official Binaries *******************************