feat(docker): create images digest file for attestation #6001
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
closes #4852 refs actions/attest-build-provenance#454 Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
Deploying goreleaser with
|
| Latest commit: |
9195b9f
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://d5d67018.goreleaser.pages.dev |
| Branch Preview URL: | https://docker-attest.goreleaser.pages.dev |
This was referenced Aug 20, 2025
There was a problem hiding this comment.
Pull Request Overview
This PR implements functionality to create a Docker images digest file for build attestation. The feature addresses the need for generating digest information that can be consumed by GitHub's attestation action to verify image provenance.
- Adds a new
docker_digestconfiguration option to generate adigests.txtfile containing image digests and names - Integrates the new digest pipe into the publishing pipeline to run after Docker images are pushed
- Updates documentation and workflows to demonstrate usage with GitHub's attestation action
Reviewed Changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| www/mkdocs.yml | Adds navigation entry for new Docker digests documentation |
| www/docs/customization/docker_digests.md | New documentation page explaining the docker_digest feature |
| www/docs/customization/attestations.md | Updates attestation docs to include Docker image attestation workflow |
| pkg/defaults/defaults.go | Registers the new dockerdigest pipe in the default pipeline |
| pkg/config/config.go | Adds DockerDigest configuration struct and integrates it into Project config |
| internal/pipe/publish/publish.go | Includes dockerdigest pipe in the publishing pipeline |
| internal/pipe/dockerdigest/digest_test.go | Test suite for the new dockerdigest functionality |
| internal/pipe/dockerdigest/digest.go | Core implementation of the dockerdigest pipe |
| internal/pipe/checksums/checksums.go | Minor error message correction |
| .github/workflows/release.yml | Adds attestation step for Docker digests |
| .github/workflows/nightly-oss.yml | Adds attestation step for Docker digests |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #6001 +/- ##
==========================================
+ Coverage 82.75% 82.77% +0.01%
==========================================
Files 165 166 +1
Lines 16571 16607 +36
==========================================
+ Hits 13714 13747 +33
- Misses 2265 2267 +2
- Partials 592 593 +1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
caarlos0
added a commit
that referenced
this pull request
Aug 21, 2025
This is the v2 of the docker feature! - better DX (less yaml repetition and templates) - simpler implementation ### So now, what happens: - if `--snapshot`, it'll build the manifest, but not push it (only useful to test the actual docker image build, not the image itself) - otherwise, on publish, it'll run a single `docker buildx build` to build and publish the manifest + SBOM - `docker_signs` should still work - `docker_digests` should still work Discussion for after the merge: https://github.com/orgs/goreleaser/discussions/6005 ### TODO from the top of my head: - [x] ~~pro: split/merge wiring~~[^1] - [x] tests - [x] signing - [x] sbom - [x] attestations #6001 --- closes #5733 [^1]: Not really needed, will only run in publish, which runs in the merging step. --------- Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
|
@caarlos0 there is a typo either in the doc or the code: The S at the end is the issue. |
|
typo on the docs - thanks @Belphemur will fix |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
closes #4852
refs actions/attest-build-provenance#454