Skip to content

Add SBOM attestations to Docker images#18252

Merged
zanieb merged 2 commits intomainfrom
zb/docker-sbom
Mar 3, 2026
Merged

Add SBOM attestations to Docker images#18252
zanieb merged 2 commits intomainfrom
zb/docker-sbom

Conversation

@zanieb
Copy link
Member

@zanieb zanieb commented Mar 2, 2026
edited
Loading

Adds SBOM attestations https://docs.docker.com/build/metadata/attestations/sbom/

Requires rust-secure-code/cargo-auditable#236 for our uv binaries and their dependencies to be included in the SBOM

You can inspect the SBOM with, e.g.:

docker buildx imagetools inspect ghcr.io/astral-sh/uv-dev:sha-ece6427 --format '{{json .SBOM}}' | jq
docker buildx imagetools inspect ghcr.io/astral-sh/uv-dev:sha-ece6427-python3.9-trixie --format '{{json .SBOM}}' | jq

Also explicitly sets https://docs.docker.com/build/metadata/attestations/slsa-provenance/#max but there appears to be no change as all of the max SLSA data is already present.

@zanieb zanieb changed the title Enable provenance and sboms during Docker builds Enable maximum provenance and SBOM attestations during Docker builds Mar 2, 2026
@zanieb zanieb mentioned this pull request Mar 2, 2026
Merged
zanieb added a commit that referenced this pull request Mar 3, 2026
@zanieb
Allow pushing Docker images in pull requests for testing (#18253)
e0f99d1 
I need to test features that require push to a registry, e.g., #18252,
and want to do so without releasing. This adds publish to a `uv-dev`
namespace and uses the sha instead of the version. It requires the
`release-test` environment, which is allowed from non-main but requires
approval from me to run. It is trigged by the `build:push-docker` label.

See https://github.com/astral-sh/uv/pkgs/container/uv-dev
@zanieb zanieb added the build:push-docker Enable a test push of Docker images with a SHA tag label Mar 3, 2026
@zanieb zanieb requested review from samypr100 and woodruffw March 3, 2026 16:39
@zanieb zanieb marked this pull request as ready for review March 3, 2026 16:39
woodruffw
woodruffw reviewed Mar 3, 2026
View reviewed changes
Dockerfile
# Install patched cargo-auditable with Zig linker support
RUN cargo install \
--git https://github.com/rust-secure-code/cargo-auditable.git \
--rev caa964b714d8da6b1139b8e7a0a2ba5979235f22 \
Copy link
Member

@woodruffw woodruffw Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just noting for future reference that this is from rust-secure-code/cargo-auditable#236 🙂

woodruffw
woodruffw approved these changes Mar 3, 2026
View reviewed changes
Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

samypr100
samypr100 approved these changes Mar 3, 2026
View reviewed changes
Copy link
Collaborator

@samypr100 samypr100 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does depot support provenance and sbom?

@zanieb
Copy link
Member Author

zanieb commented Mar 3, 2026

Does depot support provenance and sbom?

It seems like it, I tested it end-to-end.

@zanieb zanieb merged commit b9abe15 into main Mar 3, 2026
81 checks passed
@zanieb zanieb mentioned this pull request Mar 3, 2026
Merged
@BrewTestBot BrewTestBot mentioned this pull request Mar 3, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@woodruffw woodruffw woodruffw approved these changes

+1 more reviewer

@samypr100 samypr100 samypr100 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

build:push-docker Enable a test push of Docker images with a SHA tag

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@zanieb @woodruffw @samypr100