Improving provenance of image #4834
Conversation
johnsimons
force-pushed
the
john/provenence
branch
3 times, most recently
from
e505247 to
4d8e6e7
Compare
Using native action to login to ghcr.io Replaced multiple tagging commands with a single one Using build-push-action instead of script This adds the provenance by default, see https://docs.docker.com/build/ci/github-actions/attestations/#default-provenance This given the image a better score in DockerHub scout health score
johnsimons
force-pushed
the
john/provenence
branch
from
4d8e6e7 to
4ad6686
Compare
| --annotation "index:org.opencontainers.image.title=${{ matrix.name }}" \ | ||
| --annotation "index:org.opencontainers.image.description=${{ matrix.description }}" \ | ||
| --annotation "index:org.opencontainers.image.created=$(date '+%FT%TZ')" \ | ||
| --annotation "index:org.opencontainers.image.revision=${{ github.sha }}" \ | ||
| --annotation "index:org.opencontainers.image.authors=Particular Software" \ | ||
| --annotation "index:org.opencontainers.image.vendor=Particular Software" \ | ||
| --annotation "index:org.opencontainers.image.version=${{ env.MinVerVersion }}" \ | ||
| --annotation "index:org.opencontainers.image.source=https://github.com/${{ github.repository }}/tree/${{ github.sha }}" \ | ||
| --annotation "index:org.opencontainers.image.url=https://hub.docker.com/r/particular/${{ matrix.name }}" \ | ||
| --annotation "index:org.opencontainers.image.documentation=https://docs.particular.net/servicecontrol/" \ | ||
| --annotation "index:org.opencontainers.image.base.name=mcr.microsoft.com/dotnet/aspnet:8.0-jammy-chiseled-composite-extra" \ |
There was a problem hiding this comment.
By removing all of this stuff, that means we're not setting any annotations at the index level, only the image level. Is there a way to maintain this data at the index level as well using the build actions?
There was a problem hiding this comment.
@DavidBoike do we need it? What does it do for us?
Also, how do I check what is set and what is not?
I am asking because if you look at the cli call it produces, it creates some metadata, see https://github.com/Particular/ServiceControl/actions/runs/13491741985/job/37690969138?pr=4834#step:9:175, so maybe it does set it.
There was a problem hiding this comment.
If you log in to GHCR with your PAT, and then look at an existing manifest, let's say for 6.4.0-alpha.0.22 using the following: (--raw gives it to you as raw JSON that doesn't strip stuff out)
docker buildx imagetools inspect ghcr.io/particular/servicecontrol:6.4.0-alpha.0.22 --raw
You'll see all the annotations there, this is the "index" level, the thing that points to the amd64/arm64 digests as well as the "unknown" architecture digests that are attestation metadata for each of the 2 architecures.
You can also pull the amd64 metadata by referencing the SHA:
docker buildx imagetools inspect ghcr.io/particular/servicecontrol:6.4.0-alpha.0.22@sha256:8997a5697b96a0d0a363a9f6b922d337847c3fa85a20a38b90e2a58739f9b91c --raw
No annotations/attestations, just pointing to the layers.
If you do an attestation manifest:
docker buildx imagetools inspect ghcr.io/particular/servicecontrol:6.4.0-alpha.0.22@sha256:c97784a1668a0aeb58ac319881f29c1111a2f83773e8459b9e32a769f1c3cdd1 --raw
Not much to see there.
So all to say the hope was that we were annotating everything at the "index" level which would apply to the whole version including all architectures, which this PR is currently losing.
If I repeat for the tag pr-4834 built by this PR:
docker buildx imagetools inspect ghcr.io/particular/servicecontrol:pr-4834 --raw
docker buildx imagetools inspect ghcr.io/particular/servicecontrol:pr-4834@sha256:9f4649f3780631024b3c4d24baf220fdcc53b2e23e25b3b872ef96ab3c0cf0a0 --raw
docker buildx imagetools inspect ghcr.io/particular/servicecontrol:6.4.0-alpha.0.22@sha256:e616aee45bbb8f7bfb29dcce810c269a3004dd88cc7085834c046860a3c6c942 --raw
First one loses the annotations and doesn't really "replace" it anywhere.
So Docker Hub doesn't currently show this anywhere (other registries might? GHCR only shows the description on pages like this one but that's just a staging area) but given the annotations are a standard it seems reasonable to assume that someday it might?? So while not critical it does concern me to just throw it away.
There was a problem hiding this comment.
@DavidBoike I think this may work 14c63fd (#4834)
but there is still a bit of repetition, but at least it is all in the same file.
What do you think?
There was a problem hiding this comment.
From docker buildx imagetools inspect ghcr.io/particular/servicecontrol:pr-4834 --raw looks like it does the trick for the annotations, but I have to admit I don't even remember (if I ever knew) how to validate that the labels are applied.
There was a problem hiding this comment.
I'll check the labels
Co-authored-by: David Boike <david.boike@gmail.com>
Co-authored-by: David Boike <david.boike@gmail.com>
Co-authored-by: David Boike <david.boike@gmail.com>
Co-authored-by: David Boike <david.boike@gmail.com>
Co-authored-by: David Boike <david.boike@gmail.com>
Co-authored-by: David Boike <david.boike@gmail.com>
Co-authored-by: David Boike <david.boike@gmail.com>
Co-authored-by: David Boike <david.boike@gmail.com>
Co-authored-by: David Boike <david.boike@gmail.com>
DavidBoike
left a comment
DavidBoike
left a comment
There was a problem hiding this comment.
Removing my "request changes"
Using native action to login to ghcr.io.
Replaced multiple tagging commands with a single one Using build-push-action instead of script.
This adds the provenance by default, see https://docs.docker.com/build/ci/github-actions/attestations/#default-provenance.
This gives the image a better score in DockerHub scout health score.
This is the same changes as Particular/ServiceControl.Connector.MassTransit#182