From 731fcccfd98e84946b39dd5d2b14300738ffadfb Mon Sep 17 00:00:00 2001 From: Behnam Mozafari Date: Fri, 8 May 2026 15:54:45 +1000 Subject: [PATCH 1/5] UID2-6764: grant id-token and attestations write for SLSA provenance Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/publish-public-operator-docker-image.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/publish-public-operator-docker-image.yaml b/.github/workflows/publish-public-operator-docker-image.yaml index 9c2898ce0..ebe68c495 100644 --- a/.github/workflows/publish-public-operator-docker-image.yaml +++ b/.github/workflows/publish-public-operator-docker-image.yaml @@ -61,6 +61,9 @@ jobs: name: Image uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-publish-java-to-docker-versioned.yaml@v3 needs: check_major + permissions: + id-token: write + attestations: write with: release_type: ${{ inputs.release_type }} version_number_input: ${{ inputs.version_number_input }} From 7dda79d2148397856e40f8c1fa1a2dbef8cc6f08 Mon Sep 17 00:00:00 2001 From: Behnam Mozafari Date: Fri, 8 May 2026 15:58:08 +1000 Subject: [PATCH 2/5] UID2-6764: also grant the implicit defaults the publish job relied on Reusable workflows take the intersection of caller and callee permissions. Adding only id-token + attestations would have stripped the contents/ packages/security-events/pull-requests writes that the existing publish implicitly inherited from the workflow default, breaking the build. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/publish-public-operator-docker-image.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/publish-public-operator-docker-image.yaml b/.github/workflows/publish-public-operator-docker-image.yaml index ebe68c495..9a83fa40a 100644 --- a/.github/workflows/publish-public-operator-docker-image.yaml +++ b/.github/workflows/publish-public-operator-docker-image.yaml @@ -62,6 +62,10 @@ jobs: uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-publish-java-to-docker-versioned.yaml@v3 needs: check_major permissions: + contents: write + security-events: write + packages: write + pull-requests: write id-token: write attestations: write with: From b14bb7a4745a21bc4f31eaf2d9b8eb8237af52e8 Mon Sep 17 00:00:00 2001 From: Behnam Mozafari Date: Mon, 11 May 2026 10:17:24 +1000 Subject: [PATCH 3/5] UID2-6764: also grant artifact-metadata:write for attest@v4 storage record actions/attest@v4.1.0 calls GitHub's artifact-metadata API (create-storage-record:true by default). Without this permission the run logs 'Failed to persist storage record'; attestation still works but the new GitHub UI "Attestations" tab doesn't get cross-linked metadata. Matches the addition on uid2-shared-actions#228. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/publish-public-operator-docker-image.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/publish-public-operator-docker-image.yaml b/.github/workflows/publish-public-operator-docker-image.yaml index 9a83fa40a..ef9ee24f4 100644 --- a/.github/workflows/publish-public-operator-docker-image.yaml +++ b/.github/workflows/publish-public-operator-docker-image.yaml @@ -68,6 +68,7 @@ jobs: pull-requests: write id-token: write attestations: write + artifact-metadata: write with: release_type: ${{ inputs.release_type }} version_number_input: ${{ inputs.version_number_input }} From 1ce8387bfbb2eafa13760f269a797322eb1d4744 Mon Sep 17 00:00:00 2001 From: Behnam Mozafari Date: Tue, 12 May 2026 09:21:32 +1000 Subject: [PATCH 4/5] UID2-6764: document image provenance verification --- README.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/README.md b/README.md index 4cab735c7..c37e5b889 100644 --- a/README.md +++ b/README.md @@ -66,3 +66,20 @@ To check the docker image (which is what the publish-docker pipeline does), buil wsl trivy image ``` where ` is the built docker image you want to scan (uid2-latest in the example above). + +## Verifying image provenance + +Every non-snapshot image published by this repo's release workflow ships with a [SLSA v1.0](https://slsa.dev/spec/v1.0/) build-provenance attestation, signed by GitHub's [Sigstore](https://www.sigstore.dev/) instance via the OIDC identity of the [shared publish workflow](https://github.com/IABTechLab/uid2-shared-actions). The attestation cryptographically binds the image digest to the source commit, the signing workflow, and the runner that built it. + +To verify an image, install [`gh`](https://cli.github.com/) (≥ 2.49) and run: + +```bash +gh attestation verify \ + oci://ghcr.io/iabtechlab/uid2-operator: \ + --owner IABTechLab \ + --signer-repo IABTechLab/uid2-shared-actions +``` + +A successful run prints `✓ Verification succeeded!` followed by the SLSA provenance fields — including `sourceRepositoryDigest` (the source commit), `workflow.path` (the signing workflow), and the runner identity. + +Snapshot tags (`-SNAPSHOT` suffix) deliberately skip attestation. `gh attestation verify` returns `no attestations found` against a snapshot — that's expected. From 33ffe9f47604b81c2fad41cc6594e9c3a5a98b45 Mon Sep 17 00:00:00 2001 From: Behnam Mozafari Date: Tue, 12 May 2026 09:53:44 +1000 Subject: [PATCH 5/5] Fix formatting for image reference in README Corrected formatting for image reference in README. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c37e5b889..961e06d5d 100644 --- a/README.md +++ b/README.md @@ -65,7 +65,7 @@ To check the docker image (which is what the publish-docker pipeline does), buil ``` wsl trivy image ``` -where ` is the built docker image you want to scan (uid2-latest in the example above). +where `` is the built docker image you want to scan (uid2-latest in the example above). ## Verifying image provenance