Skip to content

fix: attestation verification for repos that re-use amp-devcontainer workflows#987

Merged
Ron (rjaegers) merged 1 commit into
mainfrom
fix/attestation-verification-for-other-repo
Oct 22, 2025
Merged

fix: attestation verification for repos that re-use amp-devcontainer workflows#987
Ron (rjaegers) merged 1 commit into
mainfrom
fix/attestation-verification-for-other-repo

Conversation

@rjaegers
Copy link
Copy Markdown
Member

@rjaegers Ron (rjaegers) commented Oct 20, 2025
edited
Loading

🚀 Hey, I have created a Pull Request

Description of changes

This pull request updates the attestation verification step in the .github/workflows/wc-build-push.yml workflow to improve security and traceability.

Security and attestation verification:

  • The Verify attestation step now explicitly specifies the --signer-workflow parameter, referencing the philips-software/amp-devcontainer/.github/workflows/wc-build-push.yml workflow for signer verification. This ensures that attestations are only accepted from trusted workflows and enhances the provenance of built images.

✔️ Checklist

  • I have followed the contribution guidelines for this repository
  • I have added tests for new behavior, and have not broken any existing tests
  • I have added or updated relevant documentation
  • I have verified that all added components are accounted for in the SBOM

@rjaegers Ron (rjaegers) requested a review from a team as a code owner October 20, 2025 11:47
Copilot AI review requested due to automatic review settings October 20, 2025 11:47
Copilot AI reviewed Oct 20, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Adds explicit signer workflow reference to attestation verification so downstream repositories using the reusable build/push workflow can successfully verify image attestations.

  • Introduces --signer-workflow flag to gh attestation verify command.
  • Targets canonical workflow path to align verification with reusable workflow origin.

Comment thread .github/workflows/wc-build-push.yml
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Oct 20, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Oct 20, 2025

📦 Container Size Analysis

Note

Comparing ghcr.io/philips-software/amp-devcontainer-rust:edgeghcr.io/philips-software/amp-devcontainer-rust:pr-987

📈 Size Comparison Table

OS/Platform Previous Current Change Trend
linux/amd64 536.91 MB 536.91 MB +177 B (+0%) 🔼
linux/arm64 493.59 MB 493.59 MB +532 B (+0%) 🔼

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Oct 20, 2025

MegaLinter analysis: Success

Descriptor Linter Files Fixed Errors Warnings Elapsed time
✅ ACTION actionlint 22 0 0 0.59s
✅ DOCKERFILE hadolint 2 0 0 0.89s
✅ GHERKIN gherkin-lint 6 0 0 2.48s
✅ JSON npm-package-json-lint yes no no 0.63s
✅ JSON prettier 15 2 0 0 0.56s
✅ JSON v8r 15 0 0 6.85s
✅ MARKDOWN markdownlint 11 0 0 0 0.96s
✅ MARKDOWN markdown-table-formatter 11 0 0 0 0.28s
✅ REPOSITORY gitleaks yes no no 1.1s
✅ REPOSITORY git_diff yes no no 0.01s
✅ REPOSITORY grype yes no no 28.68s
✅ REPOSITORY secretlint yes no no 0.96s
✅ REPOSITORY syft yes no no 1.83s
✅ REPOSITORY trivy yes no no 7.11s
✅ REPOSITORY trivy-sbom yes no no 0.23s
✅ REPOSITORY trufflehog yes no no 3.38s
✅ SPELL lychee 73 0 0 43.45s
✅ YAML prettier 28 0 0 0 1.22s
✅ YAML v8r 28 0 0 8.24s
✅ YAML yamllint 28 0 0 1.01s

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

  • Documentation: Custom Flavors
  • Command: npx mega-linter-runner@9.1.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,DOCKERFILE_HADOLINT,GHERKIN_GHERKIN_LINT,JSON_V8R,JSON_PRETTIER,JSON_NPM_PACKAGE_JSON_LINT,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

MegaLinter is graciously provided by OX Security

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Oct 20, 2025

📦 Container Size Analysis

Note

Comparing ghcr.io/philips-software/amp-devcontainer-cpp:edgeghcr.io/philips-software/amp-devcontainer-cpp:pr-987

📈 Size Comparison Table

OS/Platform Previous Current Change Trend
linux/amd64 691.11 MB 691.11 MB 1.69 kB (0%) 🔽
linux/arm64 674.32 MB 674.32 MB 235 B (0%) 🔽

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Oct 20, 2025

Test Results

 5 files  ±0   5 suites  ±0   3m 40s ⏱️ +12s
31 tests ±0  31 ✅ ±0  0 💤 ±0  0 ❌ ±0 
65 runs  ±0  65 ✅ ±0  0 💤 ±0  0 ❌ ±0 

Results for commit 9fe02f7. ± Comparison against base commit c9efa53.

@rjaegers Ron (rjaegers) changed the title fix: enable attestation verification to pass for repos that use amp-devcontainer workflows fix: attestation verification for repos that use amp-devcontainer workflows Oct 20, 2025
@rjaegers Ron (rjaegers) changed the title fix: attestation verification for repos that use amp-devcontainer workflows fix: attestation verification for repos that re-use amp-devcontainer workflows Oct 20, 2025
@magi-arun magi-arun requested a review from EkelmansPh October 21, 2025 07:11
@rjaegers Ron (rjaegers) added this pull request to the merge queue Oct 21, 2025
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to no response for status checks Oct 21, 2025
@rjaegers Ron (rjaegers) added this pull request to the merge queue Oct 21, 2025
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to no response for status checks Oct 21, 2025
@rjaegers Ron (rjaegers) added this pull request to the merge queue Oct 21, 2025
github-merge-queue Bot pushed a commit that referenced this pull request Oct 21, 2025
@rjaegers
fix: attestation verification for repos that re-use amp-devcontainer …
d661878 
…workflows (#987)

fix: enable attestation verification to pass for repos that use amp-devcontainer workflows
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Oct 21, 2025
@rjaegers Ron (rjaegers) added this pull request to the merge queue Oct 21, 2025
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Oct 21, 2025
@rjaegers Ron (rjaegers) added this pull request to the merge queue Oct 22, 2025
Merged via the queue into main with commit ebfb69d Oct 22, 2025
41 checks passed
@rjaegers Ron (rjaegers) deleted the fix/attestation-verification-for-other-repo branch October 22, 2025 08:55
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Oct 22, 2025

Pull Request Report (#987)

Static measures

Description Value
Number of added lines 1
Number of deleted lines 1
Number of changed files 1
Number of commits 1
Number of reviews 3
Number of comments (w/o review comments) 5
Number of reviews that contains a comment to resolve 2
Number of reviews that requested a change from the author 0
Number of reviews that approved the Pull Request 1
Get the total number of participants of a Pull Request 6

Time related measures

Description Value
PR lead time (from creation to close of PR) 1.9 Days
Time that was spend on the branch before the PR was created 36 Sec
Time that was spend on the branch before the PR was merged 1.9 Days
Time to merge after last review 1.1 Days

Status check related measures

Description Value
Total runtime for last status check run (Workflow for PR) 43.6 Min
Total time spend in last status check run on PR 1.9 Days

@philips-software-forest-releaser philips-software-forest-releaser Bot mentioned this pull request Oct 22, 2025
Merged
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Oct 22, 2025

🎉 Hooray! The changes in this pull request went live with the release of v6.5.2 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@EkelmansPh EkelmansPh EkelmansPh approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rjaegers @EkelmansPh