Provide instructions how to replace docker-ci-scripts with official workflows. #187
Comments
|
We might use https://github.com/charmbracelet/vhs-action to make it more appealing. |
|
As of Buildx release v0.10.0 slsa / sbom and signing are included by default. So the need for docker-ci-scripts are becoming less and less important. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The official docker build-push-action now also supports SBOM (with syft) and generating provenance (with SLSA).
https://github.com/docker/build-push-action#inputs
Provide alternative for
docker-ci-scriptsin example / re-usable workflows so people can start using the official docker github actions.Rationale
SSSC is now integrated in docker/build-push-action
The value of docker-ci-scripts for having everything in one action is now reduced. Previous build pipelines were very long if you wanted to do proper Secure Software Supply Chain stuff like Signing with CoSign, SBOM with Syft and Provenance with SLSA.
Now creating the SBOM and Provenance is done in
docker/build-push-actionincluding installing the correct versions, so this will make the workflow a lot more clear.Multiple tags
Having an easy way of generating multiple versions for a container f.e.
latest,v1,v1.1, andv1.1.8can now be done with https://github.com/docker/metadata-actionThe text was updated successfully, but these errors were encountered: