Skip to content

UID2-6764: Add attestation_enabled opt-out to docker publish workflows #230

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
BehnamMozafari merged 5 commits into from
May 12, 2026
Merged

UID2-6764: Add attestation_enabled opt-out to docker publish workflows #230

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
4838406
UID2-6764: add attestation_enabled opt-out to docker publish workflows
BehnamMozafari May 12, 2026
c5beb6a
UID2-6764: fix opt-out smoke assertion — gh verify returns HTTP 404
BehnamMozafari May 12, 2026
1e58e06
UID2-6764: delete throwaway attest_image opt-out smoke workflow
BehnamMozafari May 12, 2026
ed7c598
UID2-6764: move opt-out gate from composite to caller if-conditions
BehnamMozafari May 12, 2026
f19d479
UID2-6764: delete throwaway smoke workflow (run 25710314847 captured)
BehnamMozafari May 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion .github/workflows/shared-publish-java-to-docker-versioned.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,10 @@ on:
description: GitHub Environment to use for accessing the merge token. Leave empty to use the default GITHUB_TOKEN.
type: string
default: ''
attestation_enabled:
description: If false, skips SLSA build-provenance attestation + verification. Defaults to true.
type: boolean
default: true
outputs:
version_number_output:
description: The complete version number
Expand Down Expand Up @@ -218,7 +222,7 @@ jobs:
IMAGE_VERSION=${{ steps.version.outputs.new_version }}

- name: Attest build provenance
if: ${{ steps.checkRelease.outputs.not_snapshot == 'true' }}
if: ${{ steps.checkRelease.outputs.not_snapshot == 'true' && inputs.attestation_enabled }}
uses: IABTechLab/uid2-shared-actions/actions/attest_image@v3
with:
subject_name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}${{ inputs.append_image_name }}
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/shared-publish-to-docker-versioned.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,10 @@ on:
description: If true, will attempt to publish any vulnerabilities to GitHub. Defaults to true. Set to false for private repos.
type: string
default: 'true'
attestation_enabled:
description: If false, skips SLSA build-provenance attestation + verification. Defaults to true.
type: boolean
default: true
jobs:
buildImage:
name: Build Image
Expand Down Expand Up @@ -77,6 +81,7 @@ jobs:
docker_context: ${{ inputs.docker_context }}
publish_vulnerabilities: ${{ inputs.publish_vulnerabilities }}
scan_type: image
attestation_enabled: ${{ inputs.attestation_enabled }}

- name: Create Release
id: github_release
Expand Down
5 changes: 4 additions & 1 deletion actions/shared_publish_to_docker/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,9 @@ inputs:
scan_type:
description: The scan-type for aquasecurity/trivy-action action. Default to a fs scan.
default: fs
attestation_enabled:
description: Set to 'false' to skip SLSA build-provenance attestation + verification. Default 'true'.
default: 'true'

outputs:
tags:
Expand Down Expand Up @@ -103,7 +106,7 @@ runs:
IMAGE_VERSION=${{ inputs.new_version }}

- name: Attest build provenance
if: ${{ inputs.not_snapshot == 'true' }}
if: ${{ inputs.not_snapshot == 'true' && inputs.attestation_enabled == 'true' }}
uses: IABTechLab/uid2-shared-actions/actions/attest_image@v3
with:
subject_name: ${{ inputs.docker_registry }}/${{ inputs.docker_image_name }}
Expand Down
Loading