Skip to content

feat(ci): migrate from Cosign/Sigstore to GitHub native attestations#786

Merged
KrisF-Midnight merged 11 commits into
mainfrom
SRE-1910/github-native-attestations
Feb 26, 2026
Merged

feat(ci): migrate from Cosign/Sigstore to GitHub native attestations#786
KrisF-Midnight merged 11 commits into
mainfrom
SRE-1910/github-native-attestations

Conversation

@KrisF-Midnight

@KrisF-Midnight KrisF-Midnight commented Feb 25, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Replace cosign sign / cosign attest with actions/attest-build-provenance and actions/attest-sbom for all container images (GHCR midnight-ntwrk, GHCR midnightntwrk, Docker Hub)
  • Add build provenance attestation for release binary assets (tar.gz + SHA256SUMS) — previously not signed at all
  • Re-enable SBOM attestation (was disabled due to Sigstore Rekor rejecting payloads)
  • Rewrite scripts/verify-image.sh and scripts/verify-binary.sh to use gh attestation verify
  • Delete sign-image.sh, sign-image.yml, sign-binary.sh (no longer needed)
  • Update all security docs and release checklist for GitHub native attestations

Why

  • Eliminates external Sigstore/Fulcio/Rekor dependencies (source of recurring failures)
  • GitHub native attestations are first-class, stored in GitHub's attestation API
  • Enables binary release asset attestation (new capability)
  • Simpler verification: gh attestation verify instead of cosign + certificate chains

Files changed (17 files, -869/+581 lines)

  • .github/workflows/main.yml — all signing steps replaced with attestation
  • .github/workflows/release-image.yml — signing replaced, binary attestation added
  • .github/workflows/sbom-scan-image.yml — cosign removed, uses actions/attest-sbom
  • .github/scripts/sbom-scan.sh — removed attest_sbom_with_retry() (Syft/Grype unchanged)
  • .github/scripts/sign-image.sh — deleted
  • .github/scripts/sign-binary.sh — deleted
  • .github/workflows/sign-image.yml — deleted
  • scripts/verify-image.sh — rewritten for gh attestation verify
  • scripts/verify-binary.sh — rewritten for gh attestation verify
  • docs/security/* — updated all 6 security docs from cosign to gh CLI
  • .github/ISSUE_TEMPLATE/node-release-checklist.md — "signatures" → "attestations"

Test plan

  • Created test-attestation.yml workflow — all 7 jobs passed (binary attest, verify-binary.sh, build provenance, SBOM attest, SBOM verify, verify-image.sh, summary)
  • Verify main.yml attestation steps pass on a real push to this branch
  • After merge, verify gh attestation verify oci://ghcr.io/midnight-ntwrk/midnight-node:TAG --owner midnightntwrk works
  • Verify gh attestation verify with --predicate-type https://spdx.dev/Document for SBOM

JIRA: https://shielded.atlassian.net/browse/SRE-1910

🤖 Generated with Claude Code

Krisztian Feher added 6 commits February 25, 2026 10:54
feat(ci): migrate image signing from Cosign/Sigstore to GitHub native…
339ff03 
… attestations

Replace Cosign keyless signing with GitHub's actions/attest-build-provenance
and actions/attest-sbom actions, eliminating external Sigstore/Rekor dependencies.
Re-enable SBOM attestation (previously disabled due to Rekor rejecting payloads).
Add build provenance attestation for release binary assets.

- Replace cosign sign with actions/attest-build-provenance for all images
- Replace cosign attest with actions/attest-sbom for SBOM attestation
- Add binary release asset attestation (tar.gz and SHA256SUMS)
- Delete sign-image.sh, sign-binary.sh, sign-image.yml
- Remove attest_sbom_with_retry and attest_sbom_to_multiarch from sbom-scan.sh
- Rewrite verify-image.sh to use gh attestation verify
- Support both GHCR orgs (midnight-ntwrk and midnightntwrk)

JIRA: SRE-1910
save
6ba678b
chore: add push trigger to test attestation workflow
5503fa9
fix(ci): use robust digest extraction for all image types
db2e892 
The --format '{{.Manifest.Digest}}' template only works for manifest
lists, not single-arch v2 manifests. Replace with --raw | sha256sum
which computes the correct content-addressable digest for any manifest
type.
fix: rewrite verify-binary.sh to use GitHub native attestations
21785bb 
Replace cosign verify-blob with gh attestation verify. Add test job
to test-attestation.yml to validate the script against an attested
test binary.
docs: update security docs and release checklist for GitHub native at…
c60dcd9 
…testations

Replace all cosign/Sigstore references with GitHub native attestation
commands (gh attestation verify). Remove .sig/.pem file references,
Rekor/Fulcio architecture descriptions, and Sigstore outage procedures.
Remove test-attestation.yml (validated, no longer needed).
@KrisF-Midnight KrisF-Midnight requested a review from a team as a code owner February 25, 2026 15:58
@KrisF-Midnight KrisF-Midnight self-assigned this Feb 25, 2026
@github-actions

github-actions Bot commented Feb 25, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

kics-logo

KICS version: v2.1.16

Category Results
CRITICAL CRITICAL 0
HIGH HIGH 0
MEDIUM MEDIUM 96
LOW LOW 12
INFO INFO 83
TRACE TRACE 0
TOTAL TOTAL 191
Metric Values
Files scanned placeholder 30
Files parsed placeholder 30
Files failed to scan placeholder 0
Total executed queries placeholder 73
Queries failed to execute placeholder 0
Execution time placeholder 9

github-advanced-security[bot]
github-advanced-security AI found potential problems Feb 25, 2026
View reviewed changes
Comment thread .github/workflows/sbom-scan-image.yml Dismissed
@KrisF-Midnight KrisF-Midnight merged commit 510fb3b into main Feb 26, 2026
15 checks passed
@KrisF-Midnight KrisF-Midnight deleted the SRE-1910/github-native-attestations branch February 26, 2026 14:28
gilescope pushed a commit that referenced this pull request Apr 8, 2026
@rsporny
tests(fix): observe mc reference block to stop subscription (#786)
2552b68 
fixes:
- (race condition) governed map observability tests could fail if partner chains node created a block referencing stable main chain block just after main has created <security_param + 1> block
m2ux added a commit that referenced this pull request Apr 23, 2026
@m2ux
tests(fix): observe mc reference block to stop subscription (#786)
14eccf2 
fixes:
- (race condition) governed map observability tests could fail if partner chains node created a block referencing stable main chain block just after main has created <security_param + 1> block
Signed-off-by: Mike Clay <mike.clay@shielded.io>
m2ux added a commit that referenced this pull request Apr 23, 2026
@m2ux
tests(fix): observe mc reference block to stop subscription (#786)
5dc1c67 
fixes:
- (race condition) governed map observability tests could fail if partner chains node created a block referencing stable main chain block just after main has created <security_param + 1> block
Signed-off-by: Mike Clay <mike.clay@shielded.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@justinfrevert justinfrevert justinfrevert approved these changes

+1 more reviewer

@mladen-shielded mladen-shielded mladen-shielded approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@KrisF-Midnight KrisF-Midnight

Labels

skip-changes-check-jira

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@KrisF-Midnight @github-advanced-security @justinfrevert @mladen-shielded