diff --git a/.changeset/silent-suns-watch.md b/.changeset/silent-suns-watch.md new file mode 100644 index 00000000..8413a2d0 --- /dev/null +++ b/.changeset/silent-suns-watch.md @@ -0,0 +1,5 @@ +--- +'@powersync/service-image': patch +--- + +Add attestations to Docker image. diff --git a/.github/workflows/development_image_release.yaml b/.github/workflows/development_image_release.yaml index bffe5ec9..94cb2d5c 100644 --- a/.github/workflows/development_image_release.yaml +++ b/.github/workflows/development_image_release.yaml @@ -67,13 +67,38 @@ jobs: id: get_version run: echo "SERVICE_VERSION=$(node -p "require('./service/package.json').version")" >> $GITHUB_OUTPUT + - name: Extract metadata for the image + uses: docker/metadata-action@v5 + id: meta + with: + images: ${{ vars.DOCKER_REGISTRY }} + labels: | + org.opencontainers.image.licenses=FSL-1.1-ALv2 + org.opencontainers.image.version=${{ steps.get_version.outputs.SERVICE_VERSION }} + org.opencontainers.image.vendor=Journey Mobile, Inc + annotations: | + org.opencontainers.image.licenses=FSL-1.1-ALv2 + org.opencontainers.image.version=${{ steps.get_version.outputs.SERVICE_VERSION }} + org.opencontainers.image.vendor=Journey Mobile, Inc + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + - name: Build Image and Push - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 with: platforms: linux/arm64,linux/amd64 cache-from: type=registry,ref=${{vars.DOCKER_REGISTRY}}:latest context: . - # This should not be taged as latest + # This should not be taged as latest tags: ${{vars.DOCKER_REGISTRY}}:${{steps.get_version.outputs.SERVICE_VERSION}} - push: true file: ./service/Dockerfile + push: true + + # Add labels and annotations from metadata-action above. + labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} + # Note: This includes build args in the published provenance. + # Do not use this if secrets are passed in as args. + provenance: mode=max + # Pre-generate an SBOM file, which can be used for vulnerability scanning or listing licenses. + sbom: true diff --git a/.github/workflows/packages_release.yaml b/.github/workflows/packages_release.yaml index a81c706c..bc1e87c8 100644 --- a/.github/workflows/packages_release.yaml +++ b/.github/workflows/packages_release.yaml @@ -112,8 +112,24 @@ jobs: id: get_version run: echo "SERVICE_VERSION=$(node -p "require('./service/package.json').version")" >> $GITHUB_OUTPUT + - name: Extract metadata for the image + uses: docker/metadata-action@v5 + id: meta + with: + images: ${{ vars.DOCKER_REGISTRY }} + labels: | + org.opencontainers.image.licenses=FSL-1.1-ALv2 + org.opencontainers.image.version=${{ steps.get_version.outputs.SERVICE_VERSION }} + org.opencontainers.image.vendor=Journey Mobile, Inc + annotations: | + org.opencontainers.image.licenses=FSL-1.1-ALv2 + org.opencontainers.image.version=${{ steps.get_version.outputs.SERVICE_VERSION }} + org.opencontainers.image.vendor=Journey Mobile, Inc + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + - name: Build Image and Push - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 with: platforms: linux/arm64,linux/amd64 cache-from: type=registry,ref=${{vars.DOCKER_REGISTRY}}:latest @@ -122,7 +138,16 @@ jobs: push: true file: ./service/Dockerfile - # # Updates the README section on the DockerHub page + # Add labels and annotations from metadata-action above. + labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} + # Note: This includes build args in the published provenance. + # Do not use this if secrets are passed in as args. + provenance: mode=max + # Pre-generate an SBOM file, which can be used for vulnerability scanning or listing licenses. + sbom: true + + # Updates the README section on the DockerHub page - name: Update repo description # Note that this 3rd party extention is recommended in the DockerHub docs: # https://docs.docker.com/build/ci/github-actions/update-dockerhub-desc/