From 0f1f27a1ca786b60097d9c4c9b2caf35c60161f0 Mon Sep 17 00:00:00 2001 From: Behnam Mozafari Date: Fri, 8 May 2026 15:54:08 +1000 Subject: [PATCH 1/3] UID2-6764: grant id-token and attestations write for SLSA provenance Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/release-docker-image.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/release-docker-image.yaml b/.github/workflows/release-docker-image.yaml index 3f4420d..6eafcc3 100644 --- a/.github/workflows/release-docker-image.yaml +++ b/.github/workflows/release-docker-image.yaml @@ -45,6 +45,13 @@ on: jobs: Image: + permissions: + contents: write + packages: write + security-events: write + pull-requests: write + id-token: write + attestations: write uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-publish-java-to-docker-versioned.yaml@v3 with: release_type: ${{ inputs.release_type }} From 88e86b8fc4d9e753b5432db3643256ba5a1b5ca8 Mon Sep 17 00:00:00 2001 From: Behnam Mozafari Date: Mon, 11 May 2026 10:17:20 +1000 Subject: [PATCH 2/3] UID2-6764: also grant artifact-metadata:write for attest@v4 storage record actions/attest@v4.1.0 calls GitHub's artifact-metadata API (create-storage-record:true by default). Without this permission the run logs 'Failed to persist storage record'; attestation still works but the new GitHub UI "Attestations" tab doesn't get cross-linked metadata. Matches the addition on uid2-shared-actions#228. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/release-docker-image.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release-docker-image.yaml b/.github/workflows/release-docker-image.yaml index 6eafcc3..7a0d6fe 100644 --- a/.github/workflows/release-docker-image.yaml +++ b/.github/workflows/release-docker-image.yaml @@ -52,6 +52,7 @@ jobs: pull-requests: write id-token: write attestations: write + artifact-metadata: write uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-publish-java-to-docker-versioned.yaml@v3 with: release_type: ${{ inputs.release_type }} From 1c424cddcae91d24a148a1f7ba60a96ef5cb7668 Mon Sep 17 00:00:00 2001 From: Behnam Mozafari Date: Tue, 12 May 2026 09:21:22 +1000 Subject: [PATCH 3/3] UID2-6764: document image provenance verification --- README.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/README.md b/README.md index 4b53f00..db134b0 100644 --- a/README.md +++ b/README.md @@ -37,3 +37,20 @@ mvn clean compile exec:java -Dvertex-configpath=conf/local-config.json ``` mvn clean compile exec:java -Dvertx-config-path=conf/integ-config.json ``` + +## Verifying image provenance + +Every non-snapshot image published by this repo's release workflow ships with a [SLSA v1.0](https://slsa.dev/spec/v1.0/) build-provenance attestation, signed by GitHub's [Sigstore](https://www.sigstore.dev/) instance via the OIDC identity of the [shared publish workflow](https://github.com/IABTechLab/uid2-shared-actions). The attestation cryptographically binds the image digest to the source commit, the signing workflow, and the runner that built it. + +To verify an image, install [`gh`](https://cli.github.com/) (≥ 2.49) and run: + +```bash +gh attestation verify \ + oci://ghcr.io/iabtechlab/uid2-core: \ + --owner IABTechLab \ + --signer-repo IABTechLab/uid2-shared-actions +``` + +A successful run prints `✓ Verification succeeded!` followed by the SLSA provenance fields — including `sourceRepositoryDigest` (the source commit), `workflow.path` (the signing workflow), and the runner identity. + +Snapshot tags (`-SNAPSHOT` suffix) deliberately skip attestation. `gh attestation verify` returns `no attestations found` against a snapshot — that's expected.