diff --git a/.github/workflows/release-docker-image.yaml b/.github/workflows/release-docker-image.yaml index f218f32b..8f2d463e 100644 --- a/.github/workflows/release-docker-image.yaml +++ b/.github/workflows/release-docker-image.yaml @@ -22,6 +22,14 @@ on: jobs: Image: uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-publish-java-to-docker-versioned.yaml@v3 + permissions: + contents: write + security-events: write + packages: write + pull-requests: write + id-token: write + attestations: write + artifact-metadata: write with: release_type: ${{ inputs.release_type }} vulnerability_severity: ${{ inputs.vulnerability_severity }} diff --git a/README.md b/README.md index 2cd4dbb5..8197d76f 100644 --- a/README.md +++ b/README.md @@ -203,3 +203,20 @@ const myMultiSelect = { defaultValue: ['OPTION_1'] // Array or comma-separated string } ``` + +## Verifying image provenance + +Every non-snapshot image published by this repo's release workflow ships with a [SLSA v1.0](https://slsa.dev/spec/v1.0/) build-provenance attestation, signed by GitHub's [Sigstore](https://www.sigstore.dev/) instance via the OIDC identity of the [shared publish workflow](https://github.com/IABTechLab/uid2-shared-actions). The attestation cryptographically binds the image digest to the source commit, the signing workflow, and the runner that built it. + +To verify an image, install [`gh`](https://cli.github.com/) (≥ 2.49) and run: + +```bash +gh attestation verify \ + oci://ghcr.io/iabtechlab/uid2-admin: \ + --owner IABTechLab \ + --signer-repo IABTechLab/uid2-shared-actions +``` + +A successful run prints `✓ Verification succeeded!` followed by the SLSA provenance fields — including `sourceRepositoryDigest` (the source commit), `workflow.path` (the signing workflow), and the runner identity. + +Snapshot tags (`-SNAPSHOT` suffix) deliberately skip attestation. `gh attestation verify` returns `no attestations found` against a snapshot — that's expected.