Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add sbom and provenance in release for dockerhub; use jammy; apt remove as possible #6160

Merged
merged 1 commit into from
Aug 1, 2024
Merged

feat: add sbom and provenance in release for dockerhub; use jammy; apt remove as possible #6160

merged 1 commit into from
Aug 1, 2024

Conversation

PastaPastaPasta
Copy link
Member

Issue being fixed or feature implemented

Docker provenance refers to the origin and history of Docker images, including how they were built, modified, and by whom. An SBOM (Software Bill of Materials) is a detailed list of all components in a software application, providing transparency about libraries, dependencies, and versions used, which is crucial for security and compliance.

What was done?

Add SBOM and provenance to docker build; this may allow some level of validation that GitHub actions is actually doing what it says it is.

See this for more information https://docs.docker.com/build/ci/github-actions/attestations/

How Has This Been Tested?

Building with buildx with sbom and provenance flags locally

Breaking Changes

None

Checklist:

Go over all the following points, and put an x in all the boxes that apply.

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have added or updated relevant unit/integration/functional/e2e tests
  • I have made corresponding changes to the documentation
  • I have assigned this pull request to a milestone (for repository code-owners and collaborators only)

@PastaPastaPasta PastaPastaPasta added this to the 21.1 milestone Jul 28, 2024
@PastaPastaPasta PastaPastaPasta changed the title feat: add smob and provenance in release for dockerhub; use jammy; apt remove as possible feat: add sbom and provenance in release for dockerhub; use jammy; apt remove as possible Jul 28, 2024
UdjinM6
UdjinM6 approved these changes Aug 1, 2024
View reviewed changes
Copy link

@UdjinM6 UdjinM6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

utACK 9178e8a

@PastaPastaPasta PastaPastaPasta merged commit 5901fd4 into dashpay:develop Aug 1, 2024
9 checks passed
@PastaPastaPasta PastaPastaPasta deleted the modernize-release-dockerhub branch August 1, 2024 14:17
PastaPastaPasta added a commit to PastaPastaPasta/dash that referenced this pull request Aug 1, 2024
@PastaPastaPasta
Merge dashpay#6160: feat: add sbom and provenance in release for dock…
e10c5c9 
…erhub; use jammy; apt remove as possible

9178e8a feat: add smob and provenance in release for dockerhub; use jammy; apt remove as possible (pasta)

Pull request description:

  ## Issue being fixed or feature implemented
  Docker provenance refers to the origin and history of Docker images, including how they were built, modified, and by whom. An SBOM (Software Bill of Materials) is a detailed list of all components in a software application, providing transparency about libraries, dependencies, and versions used, which is crucial for security and compliance.

  ## What was done?
  Add SBOM and provenance to docker build; this may allow some level of validation that GitHub actions is actually doing what it says it is.

  See this for more information https://docs.docker.com/build/ci/github-actions/attestations/

  ## How Has This Been Tested?
  Building with buildx with sbom and provenance flags locally

  ## Breaking Changes
  None

  ## Checklist:
    _Go over all the following points, and put an `x` in all the boxes that apply._
  - [x] I have performed a self-review of my own code
  - [ ] I have commented my code, particularly in hard-to-understand areas
  - [ ] I have added or updated relevant unit/integration/functional/e2e tests
  - [ ] I have made corresponding changes to the documentation
  - [x] I have assigned this pull request to a milestone _(for repository code-owners and collaborators only)_

ACKs for top commit:
  UdjinM6:
    utACK 9178e8a

Tree-SHA512: 6e3f35a0b30f002e2d5d80d6dd18ee554a1c15c62c1d4cbe1185f38977f55a199998515cf5bb9a027670f068f3d56ef33faa062d8c4122a886375d00afe6bf2f
PastaPastaPasta added a commit that referenced this pull request Aug 1, 2024
@PastaPastaPasta
Merge #6165: [v21.0.x] backport: 21.0.1 backports and release notes
491fa2b 
5619c8f docs: add release notes for v21.0.1 and archive v21.0.0 (pasta)
9e80d12 Merge #6163: fix: use blocks-only instead of address-only for inventory (pasta)
e10c5c9 Merge #6160: feat: add sbom and provenance in release for dockerhub; use jammy; apt remove as possible (pasta)

Pull request description:

  ## Issue being fixed or feature implemented
  Backport PRs for v21.0.1

  ## What was done?
  See commits

  ## How Has This Been Tested?
  See CI

  ## Breaking Changes
  None

  ## Checklist:
    _Go over all the following points, and put an `x` in all the boxes that apply._
  - [x] I have performed a self-review of my own code
  - [ ] I have commented my code, particularly in hard-to-understand areas
  - [ ] I have added or updated relevant unit/integration/functional/e2e tests
  - [ ] I have made corresponding changes to the documentation
  - [x] I have assigned this pull request to a milestone _(for repository code-owners and collaborators only)_

ACKs for top commit:
  knst:
    utACK 5619c8f
  kwvg:
    utACK 5619c8f
  UdjinM6:
    utACK 5619c8f

Tree-SHA512: 42c1e31319775e5800da2d82af00cae3aa0cee3baadd0123a809efc246d4ca5d0e6a4166b574e6ddebf66c0a80f4ee1655caff085f1687bb533889414a9fd4cf
@UdjinM6 UdjinM6 modified the milestones: 21.1, 21.0.2 Aug 1, 2024
PastaPastaPasta added a commit that referenced this pull request Aug 2, 2024
@PastaPastaPasta
Merge #6169: chore: Merge master 21.0.2 back into develop
58f7032 
56cc39d chore: bump version to 21.0.2 (pasta)
5619c8f docs: add release notes for v21.0.1 and archive v21.0.0 (pasta)
9e80d12 Merge #6163: fix: use blocks-only instead of address-only for inventory (pasta)
e10c5c9 Merge #6160: feat: add sbom and provenance in release for dockerhub; use jammy; apt remove as possible (pasta)

Pull request description:

  ## Issue being fixed or feature implemented

  ## What was done?

  ## How Has This Been Tested?

  ## Breaking Changes

  ## Checklist:
  - [ ] I have performed a self-review of my own code
  - [ ] I have commented my code, particularly in hard-to-understand areas
  - [ ] I have added or updated relevant unit/integration/functional/e2e tests
  - [ ] I have made corresponding changes to the documentation
  - [ ] I have assigned this pull request to a milestone _(for repository code-owners and collaborators only)_

ACKs for top commit:
  PastaPastaPasta:
    utACK 0c11f0e;
  kwvg:
    utACK 0c11f0e

Tree-SHA512: c8f81678ba9a742b3e1a674ffc291e30d63900fd1e1328bf5528210d0a983b9c5c9b3960ce76fd6ed8fd7014a92e09dcfa093bcd7a4bad2e3ea2d5e849ee28bc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@UdjinM6 UdjinM6 UdjinM6 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
21.0.2
Development

Successfully merging this pull request may close these issues.
2 participants
@PastaPastaPasta @UdjinM6