fix(ci): restore SLSA Build L3 image provenance (reusable workflow)#1558
Conversation
Image attestations regressed to Build L2 when the attest step was inlined into the on-tag.yaml release job. GitHub issues Build L2 for attestations generated in a caller workflow and Build L3 only when they are generated from a reusable workflow. Move image attestation into a reusable workflow (attest-images.yaml) called by on-tag.yaml, so the provenance builder identity becomes the reusable workflow — verifiable with 'gh attestation verify --signer-workflow'. Restore the L3 wording across SECURITY.md, README, docs, and RELEASING (qualified to 'under review' in #1547), add a 'why it is L3' explanation to SECURITY.md, and repoint every image verification reference (signer-workflow and Cosign identity) to attest-images.yaml. Binary attestations are unchanged (Build L2, signed from on-tag.yaml). Fixes #1536 Signed-off-by: Mark Chmarny <[email protected]>
📝 WalkthroughWalkthroughA new reusable GitHub Actions workflow Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related issues
🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/attest-images.yaml:
- Around line 51-55: The workflow permissions block needs inline justification
for each elevated scope so the image attestation setup is auditable. Update the
permissions section in the attest-images workflow to add brief rationale
comments beside `packages: write`, `id-token: write`, and `attestations: write`,
and keep the comments tied to the attestation/release steps they support. Use
the workflow’s permissions block as the reference point so it’s clear why these
non-read-only permissions are required.
In @.github/workflows/on-tag.yaml:
- Around line 453-457: The workflow permissions block for the release job
includes sensitive token scopes without explanation; add inline rationale next
to the permissions in on-tag.yaml so future maintainers understand why contents:
read, packages: write, id-token: write, and attestations: write are required and
keep least privilege intact. Use the existing permissions section in the release
workflow to document the purpose of these scopes directly where they are
declared.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Enterprise
Run ID: 2cf0fcd8-d5ab-4abf-b29a-34d2dd33ad64
📒 Files selected for processing (11)
.github/workflows/attest-images.yaml.github/workflows/on-tag.yamlREADME.mdRELEASING.mdSECURITY.mddemos/provenance-demo-slides.htmldemos/provenance-demo.shdemos/provenance.mddocs/README.mddocs/integrator/supply-chain-verification.mddocs/user/installation.md
Coverage Report ✅
Coverage BadgeNo Go source files changed in this PR. |
Summary
Restore SLSA Build Level 3 for AICR container-image provenance by generating the attestation from a dedicated reusable workflow, and re-assert the (previously qualified) L3 wording across the docs.
Motivation / Context
Image attestations regressed to Build L2 when the
atteststep was inlined into theon-tag.yamlrelease job. GitHub issues Build L2 for attestations generated in a caller workflow and Build L3 only when they are generated from a reusable workflow (the isolated, vetted builder identity). This was diagnosed on #1536: the v0.16.0ghcr.io/nvidia/aicrprovenance hasbuilder.id = .../on-tag.yaml(the caller), andgh attestation verify --signer-workflow .../build.yamlfails — both confirming L2.Fixes: #1536
Related: #1547 (qualified the L3 docs to "build level under review" pending this fix)
Type of Change
Component(s) Affected
docs/,examples/).github/workflows/on-tag.yaml, new.github/workflows/attest-images.yaml)Implementation Notes
.github/workflows/attest-images.yaml(on: workflow_call, inputtag) holds the image-attestation steps.on-tag.yaml'sattestjob now calls it viauses:. The provenance builder identity becomes the reusable workflow, sogh attestation verify --signer-workflow NVIDIA/aicr/.github/workflows/attest-images.yamlis the L3 acceptance test.sbom-and-attest(image SBOM Cosign attestation andattest-build-provenance) runs inside the reusable workflow, both the image build-provenance signer and the image SBOM Cosign--certificate-identity-regexpmove toattest-images.yaml. All image-verification references acrossSECURITY.md,RELEASING.md,docs/integrator/supply-chain-verification.md, and the provenance demos were repointed accordingly.cosign attest-blobsigned fromon-tag.yaml). Their verification references (cli-reference.md,bundle-attestation.*, and theaicrverify-blob-attestation) intentionally still pinon-tag.yaml. TheSECURITY.mdtable reflects this split: images = Build Level 3, binaries = Build Provenance v1.SECURITY.md.Testing
No Go sources changed. The end-to-end L3 outcome can only be confirmed by a tagged release (attestations are produced on tag); the documented acceptance test is:
gh attestation verify "oci://ghcr.io/nvidia/aicr@<digest>" --repo NVIDIA/aicr \ --signer-workflow NVIDIA/aicr/.github/workflows/attest-images.yamlRisk Assessment
Rollout notes: The restored L3 wording is accurate as of the first release built with this workflow; v0.16.0 and earlier image attestations remain L2 (signed by
on-tag.yaml) and will not verify against the new--signer-workflow. No consumer migration required.Checklist
make testwith-race) — N/A (no Go changes); workflows lint cleanmake lint) —actionlint+yamllintclean on changed workflowsgh attestation verifyat release)git commit -S)