Skip to content

Commit 96413b3

Browse files
omniscoderomniscoder
committed
Supply-chain docs + publish summary for cosign/SBOM
1 parent 550372f commit 96413b3

2 files changed

Lines changed: 18 additions & 3 deletions

File tree

.github/workflows/docker-publish.yml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -193,3 +193,17 @@ jobs:
193193
run: |
194194
set -euo pipefail
195195
cosign attest --yes --type spdxjson --predicate sbom.spdx.json "${{ steps.image.outputs.image }}@${{ steps.image.outputs.digest }}"
196+
197+
- name: Publish summary
198+
shell: bash
199+
run: |
200+
set -euo pipefail
201+
{
202+
echo "### crispr-gpu CPU image published"
203+
echo ""
204+
echo "- Image: \`${{ steps.image.outputs.image }}@${{ steps.image.outputs.digest }}\`"
205+
echo "- Cosign signature ref: \`${{ steps.cosign.outputs.signature_ref }}\`"
206+
echo "- Git ref: \`${{ steps.vars.outputs.tag }}\`"
207+
echo "- Git sha: \`${{ steps.git.outputs.sha }}\`"
208+
echo "- Workflow run id: \`${{ github.run_id }}\`"
209+
} >> "$GITHUB_STEP_SUMMARY"

docs/supply_chain.md

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -21,17 +21,19 @@ DIGEST="sha256:..." # immutable digest, not a tag
2121
Verify the signature for the digest:
2222
```bash
2323
cosign verify \
24-
--certificate-identity-regexp '^https://github.com/omniscoder/crispr-gpu/.github/workflows/docker-publish\.yml@refs/tags/v[0-9]+\.[0-9]+\.[0-9]+$' \
24+
--certificate-identity-regexp '^https://github.com/omniscoder/crispr-gpu/.github/workflows/docker-publish\.yml@refs/(tags/v[0-9]+\.[0-9]+\.[0-9]+|heads/master)$' \
2525
--certificate-issuer 'https://token.actions.githubusercontent.com' \
2626
"${IMAGE}@${DIGEST}"
2727
```
2828

29+
If you want *strict release-only* verification, tighten the identity to `@refs/tags/vX.Y.Z` instead of allowing `@refs/heads/master`.
30+
2931
## Verify an SBOM attestation exists (same digest)
3032

3133
```bash
3234
cosign verify-attestation \
3335
--type spdxjson \
34-
--certificate-identity-regexp '^https://github.com/omniscoder/crispr-gpu/.github/workflows/docker-publish\.yml@refs/tags/v[0-9]+\.[0-9]+\.[0-9]+$' \
36+
--certificate-identity-regexp '^https://github.com/omniscoder/crispr-gpu/.github/workflows/docker-publish\.yml@refs/(tags/v[0-9]+\.[0-9]+\.[0-9]+|heads/master)$' \
3537
--certificate-issuer 'https://token.actions.githubusercontent.com' \
3638
"${IMAGE}@${DIGEST}"
3739
```
@@ -48,4 +50,3 @@ docker run --rm \
4850
-v "$(pwd)/reports_docker:/out" \
4951
"${IMAGE}@${DIGEST}"
5052
```
51-

0 commit comments

Comments
 (0)