Skip to content

docker/github-builder#213

Merged
mathieu-benoit merged 6 commits intomainfrom
docker-github-builder
Feb 3, 2026
Merged

docker/github-builder#213
mathieu-benoit merged 6 commits intomainfrom
docker-github-builder

Conversation

@mathieu-benoit
Copy link
Owner

@mathieu-benoit mathieu-benoit commented Feb 3, 2026
edited
Loading

Use https://github.com/docker/github-builder for both open-pr and push-tag.

This workflow provides a trusted BuildKit instance and generates signed SLSA-compliant provenance attestations, guaranteeing the build happened from the source commit and all build steps ran in isolated sandboxed environments from immutable sources. This enables GitHub projects to follow a seamless path toward higher levels of security and trust.

Also, before this I was not yet signing (cosign/sigstore) the container image, that's now done by default with this docker/github-builder 🥳

cosign verify \
    --experimental-oci11 \
    --new-bundle-format \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-identity-regexp ^https://github.com/docker/github-builder/.github/workflows/build.yml.*$ \
    ghcr.io/mathieu-benoit/my-sample-workload@sha256:16205dc6b63ac7ed6e60bac8ff34b10d3dbfa03e01fce619bd0f398d2911ba5e \
    | jq .
Verification for ghcr.io/mathieu-benoit/my-sample-workload@sha256:16205dc6b63ac7ed6e60bac8ff34b10d3dbfa03e01fce619bd0f398d2911ba5e --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates
[
  {
    "critical": {
      "identity": {
        "docker-reference": "ghcr.io/mathieu-benoit/my-sample-workload@sha256:16205dc6b63ac7ed6e60bac8ff34b10d3dbfa03e01fce619bd0f398d2911ba5e"
      },
      "image": {
        "docker-manifest-digest": "sha256:16205dc6b63ac7ed6e60bac8ff34b10d3dbfa03e01fce619bd0f398d2911ba5e"
      },
      "type": "https://sigstore.dev/cosign/sign/v1"
    },
    "optional": {}
  }
]

Needed to do these follow up PRs too:

@github-actions
Copy link

github-actions bot commented Feb 3, 2026
edited
Loading

Overview

Image reference my-sample-workload:latest my-sample-workload:latest
- digest 58d9e834af44 58d9e834af44
- tag latest latest
- provenance a426cc7 a1d8fc2
- vulnerabilities critical: 0 high: 0 medium: 0 low: 0 critical: 0 high: 0 medium: 0 low: 0
- platform linux/amd64 linux/amd64
- size 55 MB 55 MB
- packages 18 18

@mathieu-benoit
Remove 'file' key from Docker build settings
efc3899 
Remove the 'file' key from the Docker build configuration.
@mathieu-benoit
docker/github-builder for push-tag
de29dc5
@mathieu-benoit
Modify push-tag workflow for registry authentication
78c3966 
Updated the registry authentication method for GitHub Actions.
@mathieu-benoit mathieu-benoit merged commit ceab590 into main Feb 3, 2026
7 checks passed
@mathieu-benoit mathieu-benoit deleted the docker-github-builder branch February 3, 2026 01:15
This was referenced Feb 3, 2026
Merged
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mathieu-benoit