Skip to content

Commit c44e5bb

Browse files
authored
Image Annotations & Attestations (#322)
* Add provenance and sbom. * Update action. * Add labels and annotations. * Update production image release action. * Changeset. * docker/build-push-action@v6 * Fix metadata action. * Add annotations on the index.
1 parent 060b829 commit c44e5bb

File tree

3 files changed

+60
-5
lines changed

3 files changed

+60
-5
lines changed

.changeset/silent-suns-watch.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
---
2+
'@powersync/service-image': patch
3+
---
4+
5+
Add attestations to Docker image.

.github/workflows/development_image_release.yaml

Lines changed: 28 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -67,13 +67,38 @@ jobs:
6767
id: get_version
6868
run: echo "SERVICE_VERSION=$(node -p "require('./service/package.json').version")" >> $GITHUB_OUTPUT
6969

70+
- name: Extract metadata for the image
71+
uses: docker/metadata-action@v5
72+
id: meta
73+
with:
74+
images: ${{ vars.DOCKER_REGISTRY }}
75+
labels: |
76+
org.opencontainers.image.licenses=FSL-1.1-ALv2
77+
org.opencontainers.image.version=${{ steps.get_version.outputs.SERVICE_VERSION }}
78+
org.opencontainers.image.vendor=Journey Mobile, Inc
79+
annotations: |
80+
org.opencontainers.image.licenses=FSL-1.1-ALv2
81+
org.opencontainers.image.version=${{ steps.get_version.outputs.SERVICE_VERSION }}
82+
org.opencontainers.image.vendor=Journey Mobile, Inc
83+
env:
84+
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
85+
7086
- name: Build Image and Push
71-
uses: docker/build-push-action@v5
87+
uses: docker/build-push-action@v6
7288
with:
7389
platforms: linux/arm64,linux/amd64
7490
cache-from: type=registry,ref=${{vars.DOCKER_REGISTRY}}:latest
7591
context: .
76-
# This should not be taged as latest
92+
# This should not be taged as latest
7793
tags: ${{vars.DOCKER_REGISTRY}}:${{steps.get_version.outputs.SERVICE_VERSION}}
78-
push: true
7994
file: ./service/Dockerfile
95+
push: true
96+
97+
# Add labels and annotations from metadata-action above.
98+
labels: ${{ steps.meta.outputs.labels }}
99+
annotations: ${{ steps.meta.outputs.annotations }}
100+
# Note: This includes build args in the published provenance.
101+
# Do not use this if secrets are passed in as args.
102+
provenance: mode=max
103+
# Pre-generate an SBOM file, which can be used for vulnerability scanning or listing licenses.
104+
sbom: true

.github/workflows/packages_release.yaml

Lines changed: 27 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -112,8 +112,24 @@ jobs:
112112
id: get_version
113113
run: echo "SERVICE_VERSION=$(node -p "require('./service/package.json').version")" >> $GITHUB_OUTPUT
114114

115+
- name: Extract metadata for the image
116+
uses: docker/metadata-action@v5
117+
id: meta
118+
with:
119+
images: ${{ vars.DOCKER_REGISTRY }}
120+
labels: |
121+
org.opencontainers.image.licenses=FSL-1.1-ALv2
122+
org.opencontainers.image.version=${{ steps.get_version.outputs.SERVICE_VERSION }}
123+
org.opencontainers.image.vendor=Journey Mobile, Inc
124+
annotations: |
125+
org.opencontainers.image.licenses=FSL-1.1-ALv2
126+
org.opencontainers.image.version=${{ steps.get_version.outputs.SERVICE_VERSION }}
127+
org.opencontainers.image.vendor=Journey Mobile, Inc
128+
env:
129+
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
130+
115131
- name: Build Image and Push
116-
uses: docker/build-push-action@v5
132+
uses: docker/build-push-action@v6
117133
with:
118134
platforms: linux/arm64,linux/amd64
119135
cache-from: type=registry,ref=${{vars.DOCKER_REGISTRY}}:latest
@@ -122,7 +138,16 @@ jobs:
122138
push: true
123139
file: ./service/Dockerfile
124140

125-
# # Updates the README section on the DockerHub page
141+
# Add labels and annotations from metadata-action above.
142+
labels: ${{ steps.meta.outputs.labels }}
143+
annotations: ${{ steps.meta.outputs.annotations }}
144+
# Note: This includes build args in the published provenance.
145+
# Do not use this if secrets are passed in as args.
146+
provenance: mode=max
147+
# Pre-generate an SBOM file, which can be used for vulnerability scanning or listing licenses.
148+
sbom: true
149+
150+
# Updates the README section on the DockerHub page
126151
- name: Update repo description
127152
# Note that this 3rd party extention is recommended in the DockerHub docs:
128153
# https://docs.docker.com/build/ci/github-actions/update-dockerhub-desc/

0 commit comments

Comments
 (0)