diff --git a/.github/workflows/release-docker-image.yaml b/.github/workflows/release-docker-image.yaml index 3f4420d..7a0d6fe 100644 --- a/.github/workflows/release-docker-image.yaml +++ b/.github/workflows/release-docker-image.yaml @@ -45,6 +45,14 @@ on: jobs: Image: + permissions: + contents: write + packages: write + security-events: write + pull-requests: write + id-token: write + attestations: write + artifact-metadata: write uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-publish-java-to-docker-versioned.yaml@v3 with: release_type: ${{ inputs.release_type }} diff --git a/README.md b/README.md index 4b53f00..db134b0 100644 --- a/README.md +++ b/README.md @@ -37,3 +37,20 @@ mvn clean compile exec:java -Dvertex-configpath=conf/local-config.json ``` mvn clean compile exec:java -Dvertx-config-path=conf/integ-config.json ``` + +## Verifying image provenance + +Every non-snapshot image published by this repo's release workflow ships with a [SLSA v1.0](https://slsa.dev/spec/v1.0/) build-provenance attestation, signed by GitHub's [Sigstore](https://www.sigstore.dev/) instance via the OIDC identity of the [shared publish workflow](https://github.com/IABTechLab/uid2-shared-actions). The attestation cryptographically binds the image digest to the source commit, the signing workflow, and the runner that built it. + +To verify an image, install [`gh`](https://cli.github.com/) (≥ 2.49) and run: + +```bash +gh attestation verify \ + oci://ghcr.io/iabtechlab/uid2-core: \ + --owner IABTechLab \ + --signer-repo IABTechLab/uid2-shared-actions +``` + +A successful run prints `✓ Verification succeeded!` followed by the SLSA provenance fields — including `sourceRepositoryDigest` (the source commit), `workflow.path` (the signing workflow), and the runner identity. + +Snapshot tags (`-SNAPSHOT` suffix) deliberately skip attestation. `gh attestation verify` returns `no attestations found` against a snapshot — that's expected.