From 0a1b81a9e0e218ad01ce90d8c4430e5b32c0230c Mon Sep 17 00:00:00 2001
From: veilor-org <admin@veilor.org>
Date: Wed, 6 May 2026 10:40:56 +0100
Subject: [PATCH 1/3] ci: add cosign keyless sigs, SBOM, and provenance
 attestation

Sign each ISO chunk with cosign keyless OIDC, generate an SPDX SBOM
of the build output, and attach an in-toto build-provenance
attestation. Sigs/certs/SBOM are uploaded alongside the ISO parts in
the ci-latest rolling prerelease so the test/auto-install.sh path
can verify before reassembling.

Action versions are major-version tags (@v3, @v0, @v2). SHA-pinning
is tracked separately to keep this PR small and avoid the long web
lookups that stalled the previous attempt.
---
 .github/workflows/build-iso.yml | 35 ++++++++++++++++++++++++++++++++-
 1 file changed, 34 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build-iso.yml b/.github/workflows/build-iso.yml
index 8a5fc2e..d255553 100644
--- a/.github/workflows/build-iso.yml
+++ b/.github/workflows/build-iso.yml
@@ -20,7 +20,9 @@ on:
     types: [published]
 
 permissions:
-  contents: write   # needed for action-gh-release to create+update ci-latest
+  contents: write       # needed for action-gh-release to create+update ci-latest
+  id-token: write       # cosign keyless OIDC + attest-build-provenance
+  attestations: write   # attest-build-provenance writes the attestation
 
 jobs:
   build:
@@ -197,6 +199,34 @@ jobs:
           echo "[OK] split into:"
           ls "${ISO}".part-*
 
+      - name: Install cosign
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        uses: sigstore/cosign-installer@v3
+
+      - name: Sign ISO parts (keyless)
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        run: |
+          cd build/out
+          for f in *.part-*; do
+            cosign sign-blob --yes "$f" \
+              --output-signature "$f.sig" \
+              --output-certificate "$f.pem"
+          done
+
+      - name: Generate SBOM (SPDX)
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        uses: anchore/sbom-action@v0
+        with:
+          path: build/out
+          format: spdx-json
+          output-file: build/out/veilor-os.spdx.json
+
+      - name: Build provenance attestation
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: 'build/out/*.iso.part-*'
+
       - name: Publish to ci-latest rolling prerelease
         if: success() && github.ref == 'refs/heads/main'
         uses: softprops/action-gh-release@v2
@@ -220,6 +250,9 @@ jobs:
           files: |
             build/out/*.iso.part-*
             build/out/*.sha256
+            build/out/*.sig
+            build/out/*.pem
+            build/out/*.spdx.json
 
       # Build log on failure: print inline + skip artifact upload to avoid
       # quota wall. Job log retains everything anyway.

From 84275e251588e7da497779c94c799437c83bfdeb Mon Sep 17 00:00:00 2001
From: veilor-org <admin@veilor.org>
Date: Wed, 6 May 2026 10:41:10 +0100
Subject: [PATCH 2/3] ci: pin fedora:43 base image to digest

Pin registry.fedoraproject.org/fedora:43 to its current manifest
digest so a malicious or accidental tag-rewrite upstream cannot
silently change the base layer of every CI build. Digest was
captured via `skopeo inspect --raw` on 2026-05-06. Refresh
procedure documented inline.
---
 .github/workflows/build-iso.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build-iso.yml b/.github/workflows/build-iso.yml
index d255553..55702dc 100644
--- a/.github/workflows/build-iso.yml
+++ b/.github/workflows/build-iso.yml
@@ -43,7 +43,9 @@ jobs:
       - name: Run build inside Fedora 43 container
         uses: addnab/docker-run-action@v3
         with:
-          image: registry.fedoraproject.org/fedora:43
+          # Pinned to digest from `skopeo inspect --raw` on 2026-05-06.
+          # Refresh by re-running skopeo against fedora:43 and bumping.
+          image: registry.fedoraproject.org/fedora:43@sha256:72e874e771b953c6357c7a5823c6fc1e3e3253b90121e795febe01380e32269b
           options: |
             --privileged
             -v ${{ github.workspace }}:/work

From b74ef5005deab369ecea9403ae046569dbaa2e03 Mon Sep 17 00:00:00 2001
From: veilor-org <admin@veilor.org>
Date: Wed, 6 May 2026 10:41:19 +0100
Subject: [PATCH 3/3] ci: TODO marker for SHA-pinning third-party actions

Note that all `uses:` directives still resolve to mutable major-
version tags. SHA-pinning is the Agent 8 audit recommendation but
requires per-action web lookups that stalled the previous SRE
attempt; tracked separately so this PR can land first.
---
 .github/workflows/build-iso.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/build-iso.yml b/.github/workflows/build-iso.yml
index 55702dc..87eec28 100644
--- a/.github/workflows/build-iso.yml
+++ b/.github/workflows/build-iso.yml
@@ -1,3 +1,5 @@
+# TODO: SHA-pin all uses: tags to commit SHAs (Agent 8 audit recommendation).
+# Tracked separately so this PR can land without long web lookups.
 name: Build veilor-os ISO
 
 on: