From 1b1c11b184407a05f0789bbfc9e6468e782e495b Mon Sep 17 00:00:00 2001 From: Behnam Mozafari Date: Fri, 8 May 2026 15:55:04 +1000 Subject: [PATCH 1/3] UID2-6764: grant id-token and attestations write for SLSA provenance Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/release-docker-image.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/release-docker-image.yaml b/.github/workflows/release-docker-image.yaml index 13f5f14..89235b6 100644 --- a/.github/workflows/release-docker-image.yaml +++ b/.github/workflows/release-docker-image.yaml @@ -45,6 +45,13 @@ on: jobs: Image: + permissions: + contents: write + security-events: write + packages: write + pull-requests: write + id-token: write + attestations: write uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-publish-java-to-docker-versioned.yaml@v3 with: release_type: ${{ inputs.release_type }} From 9306bea97b6e022886937f57758e453f1de53893 Mon Sep 17 00:00:00 2001 From: Behnam Mozafari Date: Mon, 11 May 2026 10:17:32 +1000 Subject: [PATCH 2/3] UID2-6764: also grant artifact-metadata:write for attest@v4 storage record actions/attest@v4.1.0 calls GitHub's artifact-metadata API (create-storage-record:true by default). Without this permission the run logs 'Failed to persist storage record'; attestation still works but the new GitHub UI "Attestations" tab doesn't get cross-linked metadata. Matches the addition on uid2-shared-actions#228. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/release-docker-image.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release-docker-image.yaml b/.github/workflows/release-docker-image.yaml index 89235b6..a8a5281 100644 --- a/.github/workflows/release-docker-image.yaml +++ b/.github/workflows/release-docker-image.yaml @@ -52,6 +52,7 @@ jobs: pull-requests: write id-token: write attestations: write + artifact-metadata: write uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-publish-java-to-docker-versioned.yaml@v3 with: release_type: ${{ inputs.release_type }} From 44840dda65540e675030355bb71fe6be65dba62a Mon Sep 17 00:00:00 2001 From: Behnam Mozafari Date: Tue, 12 May 2026 09:21:43 +1000 Subject: [PATCH 3/3] UID2-6764: document image provenance verification --- README.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/README.md b/README.md index 558cb44..96cd11e 100644 --- a/README.md +++ b/README.md @@ -40,3 +40,20 @@ mvn clean compile exec:java -Dvertx-config-path=conf/local-config.json mvn clean compile exec:java -Dvertx-config-path=conf/integ-config.json ``` +## Verifying image provenance + +Every non-snapshot image published by this repo's release workflow ships with a [SLSA v1.0](https://slsa.dev/spec/v1.0/) build-provenance attestation, signed by GitHub's [Sigstore](https://www.sigstore.dev/) instance via the OIDC identity of the [shared publish workflow](https://github.com/IABTechLab/uid2-shared-actions). The attestation cryptographically binds the image digest to the source commit, the signing workflow, and the runner that built it. + +To verify an image, install [`gh`](https://cli.github.com/) (≥ 2.49) and run: + +```bash +gh attestation verify \ + oci://ghcr.io/iabtechlab/uid2-optout: \ + --owner IABTechLab \ + --signer-repo IABTechLab/uid2-shared-actions +``` + +A successful run prints `✓ Verification succeeded!` followed by the SLSA provenance fields — including `sourceRepositoryDigest` (the source commit), `workflow.path` (the signing workflow), and the runner identity. + +Snapshot tags (`-SNAPSHOT` suffix) deliberately skip attestation. `gh attestation verify` returns `no attestations found` against a snapshot — that's expected. +