feat(acquire): attach acquisition-provenance referrer on mirror#144
Merged
Conversation
Add an OCI 1.1 in-toto referrer recording where each image was acquired from and how, attached to freshly-mirrored quarantine images. - New composite action attach-acquisition-provenance: builds an in-toto Statement (predicate type https://toddysm.com/acquisition-provenance/v0.1) per subject and oras-attaches it to the index/tag and each per-platform child manifest, with com.toddysm.acquisition.* discovery annotations. - _mirror-image.yml: new record_acquisition_provenance input (default true), widened setup-oras condition, and a gated attach step (only on external -> quarantine acquisition, only when copied == true). Promotion unaffected. - Docs: design doc (docs/architecture/acquire/acquisition-provenance.md), reference (docs/reference/acquisition-provenance.md), action catalogue + terminology rows, mirror-workflows Implemented/Not-implemented updates. Closes #141 Closes #142 Closes #143 Part of #140
Contributor
There was a problem hiding this comment.
Pull request overview
This PR implements “acquisition provenance” for the acquire/mirror flow by attaching an OCI 1.1 referrer (in-toto Statement) to mirrored images in quarantine/<image>, capturing where the image came from and how/when it was acquired.
Changes:
- Adds a new composite action to generate and
oras attachacquisition-provenance in-toto statements at both index/tag and per-platform manifest levels. - Wires the action into the reusable
_mirror-image.ymlworkflow behind a newrecord_acquisition_provenanceinput (defaulttrue). - Adds/updates architecture and reference documentation describing the artifact format, fields, discovery annotations, and retrieval commands.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
.github/actions/attach-acquisition-provenance/action.yml |
New composite action that builds in-toto Statements and attaches them as OCI referrers (index + per-platform). |
.github/workflows/_mirror-image.yml |
Adds record_acquisition_provenance input; installs ORAS when needed; calls the new action after a mirror. |
docs/reference/acquisition-provenance.md |
New consumer-facing reference describing the referrer, fields, annotations, and retrieval commands. |
docs/reference/README.md |
Adds acquisition provenance to the reference index. |
docs/reference/workflow-actions.md |
Adds the new action to the action catalogue and documents its inputs. |
docs/architecture/acquire/acquisition-provenance.md |
New/updated design doc marking the feature as implemented and specifying statement/predicate details. |
docs/architecture/acquire/image-mirror-workflows.md |
Updates mirror workflow behavior documentation to include acquisition provenance and adjusts non-goals. |
docs/architecture/acquire/README.md |
Adds acquisition provenance under “Supply Chain Observability”. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Gate the attach step on an actual digest change (copied==true AND digest != previous-digest) so the copy_referrers re-sync path (which reports copied=true on an unchanged digest) no longer attaches a duplicate referrer to the same subject. - Log in oras to GHCR when record_acquisition_provenance is enabled, not only when copy_referrers is set (oras attach needs the login). - Parse the digest algorithm generically and fail fast on non-digest input instead of hard-coding sha256. - Include platform.variant in per-platform titles/file names (arm/v6 vs v7), matching scan-sbom. - Docs: drop the stale "Proposed" label, and align the design/reference wording with the digest-change guard.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements the acquisition-provenance referrer feature. For every image acquired (mirrored) from an external registry into
quarantine/<image>, attach an OCI 1.1 in-toto referrer recording where it came from and how it was acquired.Design: docs/architecture/acquire/acquisition-provenance.md · Tracking: #140
What changed
.github/actions/attach-acquisition-provenance— builds an in-toto Statement (artifact typeapplication/vnd.in-toto+json, predicate typehttps://toddysm.com/acquisition-provenance/v0.1) per subject andoras attaches it to the index/tag and each per-platform child manifest. Per-platform statements also carryplatformSourceDigest. Key fields are duplicated ascom.toddysm.acquisition.*discovery annotations._mirror-image.yml— newrecord_acquisition_provenanceinput (defaulttrue);setup-orascondition widened to include it; new Attach acquisition provenance step gated onrecord_acquisition_provenance && steps.mirror.outputs.copied == 'true'. Scoped to external → quarantine acquisition only (promotion uses the promote workflows and is unaffected). No new secrets.docs/reference/acquisition-provenance.md), action catalogue + terminology rows inworkflow-actions.md, andimage-mirror-workflows.mdImplemented / Not-implemented updates.Predicate fields
Core (always): source ref/registry/repository/tag/digest, destination ref/digest,
acquiredAt,runUrl. Plusactor,workflow(name/runId/runAttempt),copyMethod(crane|oras),copyReferrers,sourceAuthenticated, and per-platformplatformSourceDigest.Validation
actionlintclean on_mirror-image.yml.shellcheck -S warningclean on the action's embedded script.get_errorsclean on both YAML files.Closes #141, closes #142, closes #143. Part of #140.