ci(sign-object): harden the image release (tags, labels, nonroot, provenance)#54
ci(sign-object): harden the image release (tags, labels, nonroot, provenance)#54entlein wants to merge 2 commits into
Conversation
…venance) - Dockerfile: pin the distroless base by digest and use the nonroot variant (UID 65532); build with -trimpath -ldflags="-s -w"; add OCI labels (title, description, licenses=Apache-2.0, source). - Workflow: replace the ad-hoc tag step with docker/metadata-action (SHA-pinned), emitting an immutable sha- tag plus the dispatch/version tag, with OCI labels; enable provenance + SBOM attestation. - Add .dockerignore to trim the build context.
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Performance Benchmark ResultsNode-Agent Resource Usage
Dedup EffectivenessNo data available. |
Plain `docker run -v "$PWD:/work" …` failed with the nonroot distroless base (permission denied writing to the host dir); users had to pass `--user $(id -u):$(id -g)`. Switch to a small alpine base + su-exec entrypoint that detects the bind-mounted /work owner and drops to it, so files are written user-owned with no flag. sign-object still never runs as root when a non-root /work is mounted.
Performance Benchmark ResultsNode-Agent Resource Usage
Dedup EffectivenessNo data available. |
Hardens the
sign-objectimage build to release best-practices, ahead of cutting v0.0.3 (referenced by the Bill-of-Behavior signing/tamper docs).Dockerfile (
cmd/sign-object/Dockerfile)gcr.io/distroless/static-debian13:nonroot@sha256:963fa6c5…, UID 65532) — reproducible, non-root.-trimpath -ldflags="-s -w"(smaller, no local paths).title,description,licenses=Apache-2.0,source.Workflow (
.github/workflows/sign-object.yaml)docker/metadata-action(SHA-pinned): every image gets an immutablesha-<short>tag plus theworkflow_dispatchversion tag;latestonly on the default branch.provenance: true+sbom: trueattestations.linux/amd64,linux/arm64) unchanged..dockerignore— trims the build context.Already minimal (distroless static, static CGO-off binary) and Apache-2.0-licensed; this makes tagging immutable, labels the license on the image, drops root, and adds supply-chain attestation. The PR build (pull_request) validates the image without pushing.