feat: SLSA 3 #946
feat: SLSA 3 #946
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #946 +/- ##
==========================================
- Coverage 63.01% 62.91% -0.10%
==========================================
Files 17 17
Lines 1049 1049
==========================================
- Hits 661 660 -1
- Misses 388 389 +1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
jvanz
force-pushed
the
main
branch
6 times, most recently
from
d801ece to
a047bfc
Compare
| @@ -1,22 +1,51 @@ | |||
| FROM rust:1.80-alpine AS build | |||
| FROM --platform=${BUILDPLATFORM} ghcr.io/cross-rs/aarch64-unknown-linux-musl:0.2.5 AS build-arm64 | |||
There was a problem hiding this comment.
Using the rs-cross project container image I can cross compile the code inside the container image. This container image already have all the tools required by the toolchain/target to compile the code (e.g. aarch64 compiler). This allows us to build the project in 20 minutes instead of 3 hours.
There was a problem hiding this comment.
This sounds great!
I wonder though if it is possible to remove the duplication and parametrize with platform, we are building on top of both build-arm64 and build-am64, even if at the end we only copy the relevant binary to scratch. Both the buildchains may appear in provenance and so, when there's only need of 1.
There was a problem hiding this comment.
Take this CI x86_64 provenance file. The build commands does not show reference of usage of the aarch container image. The aarch container image is mentioned in the "materials" field only. But I do not know if this is an issue or not.
jq ".predicate.materials" policy-server-attestation-amd64-provenance.json
[
{
"uri": "pkg:docker/docker/buildkit-syft-scanner@stable-1",
"digest": {
"sha256": "176e0869c38aeaede37e594fcf182c91d44391a932e1d71e99ec204873445a33"
}
},
{
"uri": "pkg:docker/alpine@latest?platform=linux%2Famd64",
"digest": {
"sha256": "beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d"
}
},
{
"uri": "pkg:docker/ghcr.io/cross-rs/aarch64-unknown-linux-musl@0.2.5?platform=linux%2Famd64",
"digest": {
"sha256": "702154f52b2d8091671aa2c84d5582d849f949977228c735ff8462f93cc0e1e4"
}
},
{
"uri": "pkg:docker/ghcr.io/cross-rs/x86_64-unknown-linux-musl@0.2.5?platform=linux%2Famd64",
"digest": {
"sha256": "77db671d8356a64ae72a3e1415e63f547f26d374fbe3c4762c1cd36c7eac7b99"
}
}
]
jvanz
force-pushed
the
main
branch
6 times, most recently
from
d886b19 to
a270731
Compare
Updates the CI to make policy server SLSA 3 complaint by providing the SBOM and provenance files. Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
|
I'm in the middle of a review, but I came by this specific doc for faster cross arch builds in Dockerfiles: |
Co-authored-by: Víctor Cuadrado Juan <2196685+viccuad@users.noreply.github.com> Signed-off-by: José Guilherme Vanz <jvanz@jvanz.com>
Co-authored-by: Víctor Cuadrado Juan <2196685+viccuad@users.noreply.github.com> Signed-off-by: José Guilherme Vanz <jvanz@jvanz.com>
|
Merged by a manual merge commit as instructed by GH. |
Description
Updates the CI to make policy server SLSA 3 complaint by providing the SBOM and provenance files.
Fix #944