2026-05-06 13:47:28 +01:00
1 changed files with 39 additions and 2 deletions
--- a/.github/workflows/build-iso.yml
+++ b/.github/workflows/build-iso.yml
@ -1,3 +1,5 @@
+# TODO: SHA-pin all uses: tags to commit SHAs (Agent 8 audit recommendation).
+# Tracked separately so this PR can land without long web lookups.
 name: Build veilor-os ISO

 on:
@ -20,7 +22,9 @@ on:
    types: [published]

 permissions:
-  contents: write   # needed for action-gh-release to create+update ci-latest
+  contents: write       # needed for action-gh-release to create+update ci-latest
+  id-token: write       # cosign keyless OIDC + attest-build-provenance
+  attestations: write   # attest-build-provenance writes the attestation

 jobs:
  build:
@ -41,7 +45,9 @@ jobs:
      - name: Run build inside Fedora 43 container
        uses: addnab/docker-run-action@v3
        with:
-          image: registry.fedoraproject.org/fedora:43
+          # Pinned to digest from `skopeo inspect --raw` on 2026-05-06.
+          # Refresh by re-running skopeo against fedora:43 and bumping.
+          image: registry.fedoraproject.org/fedora:43@sha256:72e874e771b953c6357c7a5823c6fc1e3e3253b90121e795febe01380e32269b
          options: |
            --privileged
            -v ${{ github.workspace }}:/work
@ -197,6 +203,34 @@ jobs:
          echo "[OK] split into:"
          ls "${ISO}".part-*

+      - name: Install cosign
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        uses: sigstore/cosign-installer@v3
+
+      - name: Sign ISO parts (keyless)
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        run: |
+          cd build/out
+          for f in *.part-*; do
+            cosign sign-blob --yes "$f" \
+              --output-signature "$f.sig" \
+              --output-certificate "$f.pem"
+          done
+
+      - name: Generate SBOM (SPDX)
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        uses: anchore/sbom-action@v0
+        with:
+          path: build/out
+          format: spdx-json
+          output-file: build/out/veilor-os.spdx.json
+
+      - name: Build provenance attestation
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: 'build/out/*.iso.part-*'
+
      - name: Publish to ci-latest rolling prerelease
        if: success() && github.ref == 'refs/heads/main'
        uses: softprops/action-gh-release@v2
@ -220,6 +254,9 @@ jobs:
          files: |
            build/out/*.iso.part-*
            build/out/*.sha256
+            build/out/*.sig
+            build/out/*.pem
+            build/out/*.spdx.json

      # Build log on failure: print inline + skip artifact upload to avoid
      # quota wall. Job log retains everything anyway.