Skip to content

Image Annotations & Attestations #322

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
Aug 11, 2025
Merged

Image Annotations & Attestations #322

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
ee1342d
Add provenance and sbom.
rkistner Aug 7, 2025
3f43506
Update action.
rkistner Aug 7, 2025
30773c8
Add labels and annotations.
rkistner Aug 11, 2025
d5fe3ef
Update production image release action.
rkistner Aug 11, 2025
87dd730
Changeset.
rkistner Aug 11, 2025
5bf0a82
docker/build-push-action@v6
rkistner Aug 11, 2025
fae77be
Fix metadata action.
rkistner Aug 11, 2025
86dca00
Add annotations on the index.
rkistner Aug 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .changeset/silent-suns-watch.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
'@powersync/service-image': patch
---

Add attestations to Docker image.
31 changes: 28 additions & 3 deletions .github/workflows/development_image_release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,13 +67,38 @@ jobs:
id: get_version
run: echo "SERVICE_VERSION=$(node -p "require('./service/package.json').version")" >> $GITHUB_OUTPUT

- name: Extract metadata for the image
uses: docker/metadata-action@v5
id: meta
with:
images: ${{ vars.DOCKER_REGISTRY }}
labels: |
org.opencontainers.image.licenses=FSL-1.1-ALv2
org.opencontainers.image.version=${{ steps.get_version.outputs.SERVICE_VERSION }}
org.opencontainers.image.vendor=Journey Mobile, Inc
annotations: |
org.opencontainers.image.licenses=FSL-1.1-ALv2
org.opencontainers.image.version=${{ steps.get_version.outputs.SERVICE_VERSION }}
org.opencontainers.image.vendor=Journey Mobile, Inc
env:
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index

- name: Build Image and Push
uses: docker/build-push-action@v5
uses: docker/build-push-action@v6
with:
platforms: linux/arm64,linux/amd64
cache-from: type=registry,ref=${{vars.DOCKER_REGISTRY}}:latest
context: .
# This should not be taged as latest
# This should not be taged as latest
tags: ${{vars.DOCKER_REGISTRY}}:${{steps.get_version.outputs.SERVICE_VERSION}}
push: true
file: ./service/Dockerfile
push: true

# Add labels and annotations from metadata-action above.
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
# Note: This includes build args in the published provenance.
# Do not use this if secrets are passed in as args.
provenance: mode=max
# Pre-generate an SBOM file, which can be used for vulnerability scanning or listing licenses.
sbom: true
29 changes: 27 additions & 2 deletions .github/workflows/packages_release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,8 +112,24 @@ jobs:
id: get_version
run: echo "SERVICE_VERSION=$(node -p "require('./service/package.json').version")" >> $GITHUB_OUTPUT

- name: Extract metadata for the image
uses: docker/metadata-action@v5
id: meta
with:
images: ${{ vars.DOCKER_REGISTRY }}
labels: |
org.opencontainers.image.licenses=FSL-1.1-ALv2
org.opencontainers.image.version=${{ steps.get_version.outputs.SERVICE_VERSION }}
org.opencontainers.image.vendor=Journey Mobile, Inc
annotations: |
org.opencontainers.image.licenses=FSL-1.1-ALv2
org.opencontainers.image.version=${{ steps.get_version.outputs.SERVICE_VERSION }}
org.opencontainers.image.vendor=Journey Mobile, Inc
env:
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index

- name: Build Image and Push
uses: docker/build-push-action@v5
uses: docker/build-push-action@v6
with:
platforms: linux/arm64,linux/amd64
cache-from: type=registry,ref=${{vars.DOCKER_REGISTRY}}:latest
Expand All @@ -122,7 +138,16 @@ jobs:
push: true
file: ./service/Dockerfile

# # Updates the README section on the DockerHub page
# Add labels and annotations from metadata-action above.
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
# Note: This includes build args in the published provenance.
# Do not use this if secrets are passed in as args.
provenance: mode=max
# Pre-generate an SBOM file, which can be used for vulnerability scanning or listing licenses.
sbom: true

# Updates the README section on the DockerHub page
- name: Update repo description
# Note that this 3rd party extention is recommended in the DockerHub docs:
# https://docs.docker.com/build/ci/github-actions/update-dockerhub-desc/
Expand Down