Skip to content

Adding support to build provenance and sbom for build images #1166

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
visheshtanksale wants to merge 2 commits into
base: main
Choose a base branch
from
+372 −7
Open

Adding support to build provenance and sbom for build images #1166

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5423fa5
Adding support to build provenance and sbom for build images
visheshtanksale Jun 2, 2026
160bbb8
Adding helm chart SLSA and SBOM Attestation
visheshtanksale Jun 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions cloudbuild.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,12 +15,20 @@ steps:
env:
- IMG_PREFIX=us-central1-docker.pkg.dev/k8s-staging-images/dra-driver-nvidia
- GIT_COMMIT=${_PULL_BASE_SHA}
- IMG_PROVENANCE=true
- IMG_SBOM=true
- id: publish-chart
name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20260127-c1affcc8de
entrypoint: ./hack/build-and-publish-chart.sh
env:
- IMG_PREFIX=us-central1-docker.pkg.dev/k8s-staging-images/dra-driver-nvidia
- GIT_COMMIT=${_PULL_BASE_SHA}
- PULL_BASE_REF=${_PULL_BASE_REF}
- BUILD_ID=${BUILD_ID}
- PROJECT_ID=${PROJECT_ID}
- CHART_PROVENANCE=true
- CHART_SBOM=true
- COSIGN_OIDC_PROVIDER=google
substitutions:
_GIT_TAG: 'v0-placeholder'
_PULL_BASE_REF: 'main'
Expand Down
12 changes: 7 additions & 5 deletions deployments/container/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ BUILD_MULTI_ARCH_IMAGES ?= no
DOCKER ?= docker
REGCTL ?= regctl
PUSH_ON_BUILD ?= false
PROVENANCE ?= false
SBOM ?= false

##### Global variables #####
include $(CURDIR)/versions.mk
Expand Down Expand Up @@ -48,13 +50,13 @@ DOCKER_BUILD_PLATFORM_OPTIONS = --platform=linux/amd64,linux/arm64
ifeq ($(BUILD_MULTI_ARCH_GH),true)
DOCKER_BUILD_OPTIONS = \
--output=type=oci,dest=$(OCI_OUTPUT) \
--provenance=false \
--sbom=false
--provenance=$(PROVENANCE) \
--sbom=$(SBOM)
else
DOCKER_BUILD_OPTIONS = \
--output=type=image,push=$(PUSH_ON_BUILD) \
--provenance=false \
--sbom=false
--output=type=image,push=$(PUSH_ON_BUILD),oci-mediatypes=true \
--provenance=$(PROVENANCE) \
--sbom=$(SBOM)
endif
else
# We also support building single-platform images.
Expand Down
115 changes: 114 additions & 1 deletion hack/build-and-publish-chart.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,8 +40,68 @@ echo "Using CHART_VERSION=${CHART_VERSION} (IMG_TAG without leading v)"

DRIVER_NAME=$(make --no-print-directory -f "${REPO_ROOT}/versions.mk" print-DRIVER_NAME)
HELM="${HELM:-helm}"
COSIGN="${COSIGN:-cosign}"
COSIGN_VERSION="${COSIGN_VERSION:-v3.0.6}"
JQ_VERSION="${JQ_VERSION:-jq-1.7.1}"
CHART_PROVENANCE="${CHART_PROVENANCE:-false}"
CHART_SBOM="${CHART_SBOM:-false}"
DIST_DIR="${REPO_ROOT}/dist"

chart_attestations_enabled() {
[[ "${CHART_PROVENANCE}" == "true" || "${CHART_SBOM}" == "true" ]]
}

ensure_cosign() {
if command -v "${COSIGN}" >/dev/null 2>&1; then
return
fi

if [[ "${COSIGN}" != "cosign" ]]; then
echo "COSIGN=${COSIGN} is not available" >&2
exit 1
fi

echo "Installing cosign ${COSIGN_VERSION}..."
curl -sSfL --retry 8 --retry-all-errors --connect-timeout 10 --retry-delay 5 \
-o /usr/local/bin/cosign \
"https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-amd64"
chmod +x /usr/local/bin/cosign
}

ensure_jq() {
if command -v jq >/dev/null 2>&1; then
return
fi

echo "Installing jq ${JQ_VERSION}..."
curl -sSfL --retry 8 --retry-all-errors --connect-timeout 10 --retry-delay 5 \
-o /usr/local/bin/jq \
"https://github.com/jqlang/jq/releases/download/${JQ_VERSION}/jq-linux-amd64"
chmod +x /usr/local/bin/jq
}

cosign_attest_chart() {
local predicate=$1
local predicate_type=$2
local label=$3
local cmd=("${COSIGN}" attest --yes --predicate "${predicate}" --type "${predicate_type}")

if [[ -n ${COSIGN_KEY:-} ]]; then
cmd+=(--key "${COSIGN_KEY}")
fi
if [[ -n ${COSIGN_IDENTITY_TOKEN:-} ]]; then
cmd+=(--identity-token "${COSIGN_IDENTITY_TOKEN}")
fi
if [[ -n ${COSIGN_OIDC_PROVIDER:-} ]]; then
cmd+=(--oidc-provider "${COSIGN_OIDC_PROVIDER}")
fi

cmd+=("${CHART_REF}")

echo "Attesting ${label} for ${CHART_REF}"
"${cmd[@]}"
}

if ! command -v helm >/dev/null 2>&1; then
echo "Installing Helm 3..."
curl -sSfLO --retry 8 --retry-all-errors --connect-timeout 10 --retry-delay 5 \
Expand All @@ -50,6 +110,25 @@ if ! command -v helm >/dev/null 2>&1; then
mv linux-amd64/helm /usr/local/bin/helm
fi

if [[ -z ${GIT_COMMIT:-} ]]; then
GIT_COMMIT=$(git rev-parse HEAD)
fi
echo "Using GIT_COMMIT=${GIT_COMMIT}"

if chart_attestations_enabled; then
ensure_jq
ensure_cosign
fi

REGISTRY_HOST="${IMG_PREFIX%%/*}"
if command -v gcloud >/dev/null 2>&1; then
case "${REGISTRY_HOST}" in
*.pkg.dev | gcr.io | *.gcr.io)
gcloud auth configure-docker "${REGISTRY_HOST}" --quiet
;;
esac
fi

mkdir -p "${DIST_DIR}"
rm -f "${DIST_DIR}/${DRIVER_NAME}-"*.tgz

Expand All @@ -70,4 +149,38 @@ fi

CHART_TGZ="${DIST_DIR}/${DRIVER_NAME}-${CHART_VERSION}.tgz"
echo "Pushing ${CHART_TGZ} -> oci://${IMG_PREFIX}/charts"
"${HELM}" push "${CHART_TGZ}" "oci://${IMG_PREFIX}/charts"
if ! PUSH_OUTPUT=$("${HELM}" push "${CHART_TGZ}" "oci://${IMG_PREFIX}/charts" 2>&1); then
printf '%s\n' "${PUSH_OUTPUT}"
exit 1
fi
printf '%s\n' "${PUSH_OUTPUT}"

if chart_attestations_enabled; then
CHART_DIGEST=${CHART_DIGEST:-$(printf '%s\n' "${PUSH_OUTPUT}" | awk '/Digest:/ { print $2; exit }')}
if [[ -z "${CHART_DIGEST}" ]]; then
echo "could not determine chart digest from helm push output" >&2
exit 1
fi

CHART_REF="${IMG_PREFIX}/charts/${DRIVER_NAME}@${CHART_DIGEST}"
echo "Using CHART_REF=${CHART_REF}"

CHART_NAME="${DRIVER_NAME}" \
CHART_VERSION="${CHART_VERSION}" \
GIT_COMMIT="${GIT_COMMIT}" \
PULL_BASE_REF="${PULL_BASE_REF:-}" \
BUILD_ID="${BUILD_ID:-}" \
PROJECT_ID="${PROJECT_ID:-}" \
bash "${REPO_ROOT}/hack/generate-helm-chart-attestation-predicates.sh" \
"${CHART_TGZ}" \
"${CHART_REF}" \
"${DIST_DIR}"

CHART_PREDICATE_PREFIX="${DIST_DIR}/${DRIVER_NAME}-${CHART_VERSION}"
if [[ "${CHART_PROVENANCE}" == "true" ]]; then
cosign_attest_chart "${CHART_PREDICATE_PREFIX}.slsa-provenance.json" slsaprovenance1 "SLSA provenance"
fi
if [[ "${CHART_SBOM}" == "true" ]]; then
cosign_attest_chart "${CHART_PREDICATE_PREFIX}.sbom.spdx.json" spdxjson "SPDX SBOM"
fi
fi
7 changes: 6 additions & 1 deletion hack/build-and-publish-image.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,9 @@ if [[ -z ${GIT_COMMIT:-} ]]; then
fi
echo "Using GIT_COMMIT=${GIT_COMMIT}"

IMG_PROVENANCE="${IMG_PROVENANCE:-false}"
IMG_SBOM="${IMG_SBOM:-false}"

export CI=true
export DOCKER_CLI_EXPERIMENTAL=enabled

Expand All @@ -52,4 +55,6 @@ make -f deployments/container/Makefile build \
PUSH_ON_BUILD=true \
REGISTRY="${IMG_PREFIX}" \
VERSION="${IMG_TAG}" \
GIT_COMMIT="${GIT_COMMIT}"
GIT_COMMIT="${GIT_COMMIT}" \
PROVENANCE="${IMG_PROVENANCE}" \
SBOM="${IMG_SBOM}"
Loading
Loading