veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions

Merge pull request 'ci: cosign keyless sigs, SBOM, provenance + fedora digest pin' (#7) from feat/sre-cosign-sbom-attestation into main
Some checks failed
Build veilor-os ISO / Build live ISO (push) Failing after 0s
Details
Lint / Kickstart syntax (push) Failing after 0s
Details
Lint / Shell scripts (push) Has been cancelled
Details
Lint / No personal/onyx leaks (push) Has been cancelled
Details

Browse source
This commit is contained in:
s8n-ru 2026-05-06 13:47:27 +01:00
commit 3d35196a2d
1 changed files with 39 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

41
.github/workflows/build-iso.yml vendored
View file

@ -1,3 +1,5 @@
# TODO: SHA-pin all uses: tags to commit SHAs (Agent 8 audit recommendation).
# Tracked separately so this PR can land without long web lookups.
name: Build veilor-os ISO name: Build veilor-os ISO
on: on:
@ -20,7 +22,9 @@ on:
types: [published] types: [published]
permissions: permissions:
contents: write # needed for action-gh-release to create+update ci-latest contents: write # needed for action-gh-release to create+update ci-latest
id-token: write # cosign keyless OIDC + attest-build-provenance
attestations: write # attest-build-provenance writes the attestation
jobs: jobs:
build: build:
@ -46,7 +50,9 @@ jobs:
# SHA pinning in a follow-up sweep. # SHA pinning in a follow-up sweep.
uses: addnab/docker-run-action@v3 uses: addnab/docker-run-action@v3
with: with:
image: registry.fedoraproject.org/fedora:43 # Pinned to digest from `skopeo inspect --raw` on 2026-05-06.
# Refresh by re-running skopeo against fedora:43 and bumping.
image: registry.fedoraproject.org/fedora:43@sha256:72e874e771b953c6357c7a5823c6fc1e3e3253b90121e795febe01380e32269b
options: | options: |
--privileged --privileged
-v ${{ github.workspace }}:/work -v ${{ github.workspace }}:/work
@ -202,6 +208,34 @@ jobs:
echo "[OK] split into:" echo "[OK] split into:"
ls "${ISO}".part-* ls "${ISO}".part-*
- name: Install cosign
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
uses: sigstore/cosign-installer@v3
- name: Sign ISO parts (keyless)
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
run: |
cd build/out
for f in *.part-*; do
cosign sign-blob --yes "$f" \
--output-signature "$f.sig" \
--output-certificate "$f.pem"
done
- name: Generate SBOM (SPDX)
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
uses: anchore/sbom-action@v0
with:
path: build/out
format: spdx-json
output-file: build/out/veilor-os.spdx.json
- name: Build provenance attestation
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
uses: actions/attest-build-provenance@v2
with:
subject-path: 'build/out/*.iso.part-*'
- name: Publish to ci-latest rolling prerelease - name: Publish to ci-latest rolling prerelease
if: success() && github.ref == 'refs/heads/main' if: success() && github.ref == 'refs/heads/main'
# Pinned to last v2 tag confirmed to ship on node20. # Pinned to last v2 tag confirmed to ship on node20.
@ -226,6 +260,9 @@ jobs:
files: | files: |
build/out/*.iso.part-* build/out/*.iso.part-*
build/out/*.sha256 build/out/*.sha256
build/out/*.sig
build/out/*.pem
build/out/*.spdx.json
# Build log on failure: print inline + skip artifact upload to avoid # Build log on failure: print inline + skip artifact upload to avoid
# quota wall. Job log retains everything anyway. # quota wall. Job log retains everything anyway.