ci: refactor Docker image build and add provenance attestations

rwestphal · rwestphal · commit 22d3168d1219 · 2025-07-26T19:51:25.000-03:00
- Replace inline Docker build logic with a reusable workflow for image build and attestation - Use `docker/build-push-action@v6` to build and push holod and holo-bundle images to ghcr.io - Add provenance attestations using `actions/attest-build-provenance@v2` - Images are now pushed to ghcr.io with corresponding provenance metadata Example verification: $ gh attestation verify oci://ghcr.io/holo-routing/holod:latest -R holo-routing/holo Loaded digest sha256:c3b9a8f7979246c6f2c7e8a214189e56d8b43af1eedb19e0c65703762408f0c7 for oci://ghcr.io/holo-routing/holod:latest Loaded 1 attestation from GitHub API The following policy criteria will be enforced: - Predicate type must match:................ https://slsa.dev/provenance/v1 - Source Repository Owner URI must match:... https://github.com/holo-routing - Source Repository URI must match:......... https://github.com/holo-routing/holo - Subject Alternative Name must match regex: (?i)^https://github.com/holo-routing/holo/ - OIDC Issuer must match:................... https://token.actions.githubusercontent.com ✓ Verification succeeded! The following 1 attestation matched the policy criteria - Attestation #1 - Build repo:..... holo-routing/holo - Build workflow:. .github/workflows/ci.yaml@refs/heads/master - Signer repo:.... holo-routing/holo - Signer workflow: .github/workflows/docker-build-and-attest.yml@refs/heads/master Closes #80 Signed-off-by: Renato Westphal <renato@opensourcerouting.org>
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -89,20 +89,25 @@ jobs:
       - name: Check benchmark builds
         run: cargo bench --no-run -p holo-bgp -p holo-ldp -p holo-ospf
 
-  push-image:
-    name: Docker Image Build
-    runs-on: ubuntu-latest
+  docker-build-holod:
+    uses: ./.github/workflows/docker-build-and-attest.yml
     if: github.ref == 'refs/heads/master' && github.repository_owner == 'holo-routing'
-    steps:
-      - uses: actions/checkout@v4
-      - uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{github.actor}}
-          password: ${{secrets.GITHUB_TOKEN}}
-      - name: Build and push container image
-        run: |
-          docker build . -f docker/Dockerfile.holod --tag ghcr.io/holo-routing/holod:latest
-          docker push ghcr.io/holo-routing/holod:latest
-          docker build . -f docker/Dockerfile.holo-bundle --tag ghcr.io/holo-routing/holo-bundle:latest
-          docker push ghcr.io/holo-routing/holo-bundle:latest
+    with:
+      image-name: holod
+      dockerfile: docker/Dockerfile.holod
+    permissions:
+      id-token: write
+      attestations: write
+      packages: write
+
+  docker-build-holo-bundle:
+    needs: docker-build-holod
+    uses: ./.github/workflows/docker-build-and-attest.yml
+    if: github.ref == 'refs/heads/master' && github.repository_owner == 'holo-routing'
+    with:
+      image-name: holo-bundle
+      dockerfile: docker/Dockerfile.holo-bundle
+    permissions:
+      id-token: write
+      attestations: write
+      packages: write
diff --git a/.github/workflows/docker-build-and-attest.yml b/.github/workflows/docker-build-and-attest.yml
@@ -0,0 +1,44 @@
+name: Build and Attest Docker Image
+
+on:
+  workflow_call:
+    inputs:
+      image-name:
+        required: true
+        type: string
+      dockerfile:
+        required: true
+        type: string
+
+jobs:
+  build-and-attest:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      attestations: write
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push image
+        id: push_image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ${{ inputs.dockerfile }}
+          push: true
+          tags: ghcr.io/holo-routing/${{ inputs.image-name }}:latest
+
+      - name: Attest image
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ghcr.io/holo-routing/${{ inputs.image-name }}
+          subject-digest: ${{ steps.push_image.outputs.digest }}
+          push-to-registry: true
