Skip to content

Sign and attest GHCR image #848

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
martincostello merged 2 commits into from
Nov 6, 2025
Merged

Sign and attest GHCR image #848

martincostello merged 2 commits into from
Nov 6, 2025

Conversation

@martincostello
Copy link
Member

@martincostello martincostello commented Nov 5, 2025
edited
Loading

Add steps to attest and sign the images pushed to GHCR with GitHub Attestations and Cosign.

Once merged and verified working, I'll migrate us from build-push-to-dockerhub to the new docker-build-push-image action, then afterwards we should be able to sign the images pushed to Docker Hub too (see #850 and #851).

@martincostello
Sign and attest GHCR image
7bac59b 
Add steps to attest and sign the images pushed to GHCR with GitHub Attestations and Cosign.
@martincostello
Fix cosign installation
614e6cb 
Upgrade sigstore/cosign-installer to v4 to install cosign v3.
Copilot AI review requested due to automatic review settings November 5, 2025 16:35
Copilot AI reviewed Nov 5, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds signing and attestation capabilities for container images pushed to GitHub Container Registry (GHCR). The changes enhance security and provenance tracking by integrating GitHub Attestations for build provenance and Cosign for cryptographic signing of container images.

Key Changes:

  • Added build provenance attestation using GitHub's native attestation action
  • Integrated Cosign for cryptographic signing of published container images
  • Enhanced Docker build configuration with caching and proper output handling

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@martincostello martincostello enabled auto-merge (squash) November 5, 2025 16:41
@martincostello martincostello merged commit a2d16cd into main Nov 6, 2025
44 checks passed
@martincostello martincostello deleted the cosign-image branch November 6, 2025 15:58
@martincostello
Copy link
Member Author

martincostello commented Nov 6, 2025

Verified with:

VERSION="main"
IMAGE="ghcr.io/grafana/docker-otel-lgtm:${VERSION}"
IDENTITY="https://github.com/grafana/docker-otel-lgtm/.github/workflows/ghcr-image-build-and-publish.yml@refs/heads/${VERSION}"
OIDC_ISSUER="https://token.actions.githubusercontent.com"

cosign verify ${IMAGE} --certificate-identity ${IDENTITY} --certificate-oidc-issuer ${OIDC_ISSUER}
Verification for ghcr.io/grafana/docker-otel-lgtm:main --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates

[{"critical":{"identity":{"docker-reference":"ghcr.io/grafana/docker-otel-lgtm:main"},"image":{"docker-manifest-digest":"sha256:3c634afce1a25a06e11ff24a150ec500cd220dca80212e97c035511bc9692faa"},"type":"https://sigstore.dev/cosign/sign/v1"},"optional":null},{"critical":{"identity":{"docker-reference":"ghcr.io/grafana/docker-otel-lgtm:main"},"image":{"docker-manifest-digest":"sha256:3c634afce1a25a06e11ff24a150ec500cd220dca80212e97c035511bc9692faa"},"type":"https://slsa.dev/provenance/v1"},"optional":null}]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@zeitlinger zeitlinger zeitlinger approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@martincostello @zeitlinger