ci(release-server): enable max provenance + SBOM on Docker images#26
Merged
ci(release-server): enable max provenance + SBOM on Docker images#26
Conversation
Adds `provenance: mode=max` and `sbom: true` to both build-push steps (CPU and CUDA) in release-server.yml. Docker Scout grade dropped from B (locally pushed images via `make scout-cuda` / `make docker-build-cuda-dev`) to C (CI-pushed `:cu128` / `:latest`) because the local Makefile targets pass these flags explicitly while `docker/build-push-action@v6` defaults to `provenance: mode=min` and `sbom: false`. Without an SBOM the "Supply chain attestations" policy fails, dragging the grade down. Aligning the CI flags with the Makefile should restore grade B on the next `server/v*` release without changing image contents. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
provenance: mode=maxandsbom: trueto both Docker build-push steps inrelease-server.yml(CPU multi-arch + CUDA amd64).server/Makefilealready produces (make docker-build-cuda/scout-cuda/docker-build-cuda-dev).Why
Docker Scout grade for the same Dockerfile differed between artifacts:
:cu128-dev→ B:cu128/:v0.4.0-cu128(release-server.yml) → CInvestigation showed the runtime image is identical (same amd64 manifest size, same Dockerfile, same Go code). The delta is entirely in the attestation manifest:
:v0.4.0-cu128mode=min(~42 KB):cu128-devmode=max(~34 KB)docker/build-push-action@v6defaults areprovenance: true(=mode=min) andsbom: false. Without an SBOM, Scout's "Supply chain attestations" policy fails, dragging the grade down. Setting both flags explicitly aligns CI with the local Makefile and should restore grade B on the nextserver/v*release without changing image contents.Test plan
server/v0.4.1-test) → confirm CI workflow runs without errors and pushes both CPU and CUDA imagesdocker buildx imagetools inspect dvcdsys/code-index:<new-tag>-cu128 --raw— verify attestation manifest includes bothspdx.dev/Documentandslsa.dev/provenance/v1layersdocker scout cves dvcdsys/code-index:<new-tag>-cu128 --platform linux/amd64— verify HIGH/CRITICAL count unchanged🤖 Generated with Claude Code