From 144221b430e3e4f9d2e7431925e1c4714cd38dde Mon Sep 17 00:00:00 2001
From: Srigovind Nayak <sgovind.dev@outlook.com>
Date: Sun, 15 Sep 2024 22:44:00 +0530
Subject: [PATCH 1/4] docker: add SLSA provenance to .github workflow

* the id-token of the GitHub Actions workflow will be used for image signing
* replace branch-based tagging with SHA-based tagging since, branch names are mutable, SLSA provenance requires immutable tagging
* use official SLSA framework Github Reusable workflow

docker: fix incorrect registry name in image output step

* use REGISTRY environment variable instead of IMAGE_REGISTRY

docker: revert change to remove branch tag
---
 .github/workflows/docker.yml    | 32 +++++++++++++++++++++++++++++++-
 changelog/unreleased/issue-4983 |  8 ++++++++
 2 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 changelog/unreleased/issue-4983

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index a24660b45..56a39aaec 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -19,6 +19,11 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write # needed for signing the images with GitHub OIDC Token
+
+    outputs:
+      image: ${{ steps.image.outputs.image }}
+      digest: ${{ steps.build-and-push.outputs.digest }}
 
     steps:
       - name: Checkout repository
@@ -37,7 +42,8 @@ jobs:
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
-            type=ref,event=branch
+            type=sha
+            type=ref, event=branch
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
 
@@ -55,6 +61,7 @@ jobs:
         if: github.ref != 'refs/heads/master'
 
       - name: Build and push Docker image
+        id: build-and-push
         uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1
         with:
           push: true
@@ -64,3 +71,26 @@ jobs:
           pull: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+        
+      - name: Output image
+        id: image
+        run: |
+          # NOTE: Set the image as an output because the `env` context is not
+          # available to the inputs of a reusable workflow call.
+          image_name="${REGISTRY}/${IMAGE_NAME}"
+          echo "image=$image_name" >> "$GITHUB_OUTPUT"
+        
+  provenance:
+    needs: [build-and-push-image]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    if: github.repository == 'restic/restic'
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
+    with:
+      image: ${{ needs.build-and-push-image.outputs.image }}
+      digest: ${{ needs.build-and-push-image.outputs.digest }}
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file
diff --git a/changelog/unreleased/issue-4983 b/changelog/unreleased/issue-4983
new file mode 100644
index 000000000..6649504bb
--- /dev/null
+++ b/changelog/unreleased/issue-4983
@@ -0,0 +1,8 @@
+Enhancement: add SLSA provenance to the Docker images
+
+Restic's Docker image build workflow now includes SLSA provenance generation. 
+This enhancement improves the security and traceability of the Docker images'
+build process.
+
+https://github.com/restic/restic/issues/4983
+https://github.com/restic/restic/pull/4999
\ No newline at end of file

From d422e75e0884882a8f18eeae8398c4dc721a2c21 Mon Sep 17 00:00:00 2001
From: Srigovind Nayak <sgovind.dev@outlook.com>
Date: Sun, 29 Sep 2024 15:56:17 +0530
Subject: [PATCH 2/4] docs: add instructions for verifying SLSA provenance of
 Docker images

docs: update the documentation
---
 doc/developer_information.rst | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/doc/developer_information.rst b/doc/developer_information.rst
index f0fe28c32..f1eae3a67 100644
--- a/doc/developer_information.rst
+++ b/doc/developer_information.rst
@@ -113,6 +113,34 @@ The following steps are necessary to build the binaries:
         restic/builder \
         go run helpers/build-release-binaries/main.go --version 0.14.0 --verbose
 
+Verifying SLSA Provenance for Docker Images
+*******************************************
+
+Our Docker images are built with SLSA (Supply-chain Levels for Software Artifacts)
+provenance. 
+
+To verify this provenance:
+
+1. Install the `slsa-verifier` tool from https://github.com/slsa-framework/slsa-verifier
+
+2. Run the following command:
+
+   .. code-block:: console
+
+      $ slsa-verifier verify-image \
+        --source-uri github.com/restic/restic \
+        <image-name>@<digest>
+
+   Replace `<tag>` with the Git tag of the release you're verifying, `<image-name>`
+   with the full name of the Docker image (including the registry), and `<digest>`
+   with the SHA256 digest of the image.
+
+3. If the verification is successful, you'll see output indicating that the provenance 
+is valid.
+
+This verification ensures that the Docker image was built by our official GitHub
+Actions workflow and has not been tampered with since its creation.
+
 Verifying the Official Binaries
 *******************************
 

From 4fb9aa4351ab27d90972900a095f31613b60b096 Mon Sep 17 00:00:00 2001
From: Srigovind Nayak <5201843+konidev20@users.noreply.github.com>
Date: Mon, 2 Dec 2024 00:16:19 +0530
Subject: [PATCH 3/4] docker: fix typos and permissions for jobs

---
 .github/workflows/docker.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 56a39aaec..1a75604e6 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -19,7 +19,6 @@ jobs:
     permissions:
       contents: read
       packages: write
-      id-token: write # needed for signing the images with GitHub OIDC Token
 
     outputs:
       image: ${{ steps.image.outputs.image }}
@@ -43,7 +42,7 @@ jobs:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
             type=sha
-            type=ref, event=branch
+            type=ref,event=branch
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
 

From 8d45a4b2833c209d41368df60e65d096df3fb1d3 Mon Sep 17 00:00:00 2001
From: Srigovind Nayak <5201843+konidev20@users.noreply.github.com>
Date: Mon, 2 Dec 2024 01:11:26 +0530
Subject: [PATCH 4/4] changelog: update to indicate change applies only for
 GHCR images.

---
 changelog/unreleased/issue-4983 | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/changelog/unreleased/issue-4983 b/changelog/unreleased/issue-4983
index 6649504bb..e5292cf5c 100644
--- a/changelog/unreleased/issue-4983
+++ b/changelog/unreleased/issue-4983
@@ -1,8 +1,8 @@
-Enhancement: add SLSA provenance to the Docker images
+Enhancement: add SLSA provenance to the GHCR Container images
 
-Restic's Docker image build workflow now includes SLSA provenance generation. 
-This enhancement improves the security and traceability of the Docker images'
-build process.
+Restic's GitHub Container Registry (GHCR) image build workflow now includes
+SLSA provenance generation. This enhancement improves the security and 
+traceability of images built and pushed to GHCR. 
 
 https://github.com/restic/restic/issues/4983
 https://github.com/restic/restic/pull/4999
\ No newline at end of file