Skip to content

chore: Bump stackabletech/actions to v0.16.0 and add SLSA provenance#1559

Open
dervoeti wants to merge 4 commits into
mainfrom
chore/bump-actions-v0.16.0
Open

chore: Bump stackabletech/actions to v0.16.0 and add SLSA provenance#1559
dervoeti wants to merge 4 commits into
mainfrom
chore/bump-actions-v0.16.0

Conversation

@dervoeti

@dervoeti dervoeti commented Jul 1, 2026

Copy link
Copy Markdown
Member

Description

Bumps all stackabletech/actions references to v0.16.0 and generates SLSA build provenance for every published multi-arch image index via slsa-github-generator, attested to the image in each registry (oci.stackable.tech and quay.io).

How it works

publish_manifests is a version matrix, GitHub matrix jobs cannot expose per-leg outputs (they overwrite each other).
I had to do work around this using artifacts:

  1. Each publish_manifests leg records its oci/quay index manifest digests as a provenance-digests-<version> artifact.
  2. collect-provenance-matrix assembles the artifacts into a matrix (via include, one entry per version and registry).
  3. A matrixed provenance job feeds each entry to slsa-github-generator, selecting the registry password per entry.

Example:
Two digests.json artifacts collected:

  {"version": "3.4.1", "oci_digest": "sha256:aaa...", "quay_digest": "sha256:bbb..."}
  {"version": "3.3.6", "oci_digest": "sha256:ccc...", "quay_digest": "sha256:ddd..."}

Results in this matrix:

  {
    "include": [
      {
        "registry": "oci.stackable.tech",
        "image": "oci.stackable.tech/sdp/hadoop",
        "digest": "sha256:aaa...",
        "username": "robot$sdp+github-action-build"
      },
      {
        "registry": "quay.io",
        "image": "quay.io/stackable/sdp/hadoop",
        "digest": "sha256:bbb...",
        "username": "stackable+robot_sdp_github_action_build"
      },
      {
        "registry": "oci.stackable.tech",
        "image": "oci.stackable.tech/sdp/hadoop",
        "digest": "sha256:ccc...",
        "username": "robot$sdp+github-action-build"
      },
      {
        "registry": "quay.io",
        "image": "quay.io/stackable/sdp/hadoop",
        "digest": "sha256:ddd...",
        "username": "stackable+robot_sdp_github_action_build"
      }
    ]
  }

For more details on SLSA generation itself, see the description of stackabletech/operator-templating#602

Definition of Done Checklist

Note

Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant.

Please make sure all these things are done and tick the boxes

  • Changes are OpenShift compatible
  • All added packages (via microdnf or otherwise) have a comment on why they are added
  • Things not downloaded from Red Hat repositories should be mirrored in the Stackable repository and downloaded from there
  • All packages should have (if available) signatures/hashes verified
  • Add an entry to the CHANGELOG.md file
  • Integration tests ran successfully
TIP: Running integration tests with a new product image

The image can be built and uploaded to the kind cluster with the following commands:

boil build <IMAGE> --image-version <RELEASE_VERSION> --strip-architecture --load
kind load docker-image <MANIFEST_URI> --name=<name-of-your-test-cluster>

See the output of boil to retrieve the image manifest URI for <MANIFEST_URI>.

@dervoeti dervoeti changed the title Chore/bump actions v0.16.0 chore: Bump stackabletech/actions to v0.16.0 and add SLSA provenance Jul 1, 2026
@dervoeti dervoeti self-assigned this Jul 1, 2026
@dervoeti dervoeti moved this to Development: Waiting for Review in Stackable Engineering Jul 1, 2026

@NickLarsenNZ NickLarsenNZ left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is that all stackabletech/actions/* being bumped?
We do try to keep them all at the same level (to make search/replace bumps easier).

@Techassi Techassi self-requested a review July 1, 2026 15:17
@NickLarsenNZ

Copy link
Copy Markdown
Member

Is that all stackabletech/actions/* being bumped? We do try to keep them all at the same level (to make search/replace bumps easier).

Ahh ignore me, the workflows use the reusable one. So I assume they are all updated.

NickLarsenNZ
NickLarsenNZ previously approved these changes Jul 1, 2026

@NickLarsenNZ NickLarsenNZ left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@NickLarsenNZ NickLarsenNZ moved this from Development: Waiting for Review to Development: In Review in Stackable Engineering Jul 1, 2026
@dervoeti dervoeti requested a review from NickLarsenNZ July 1, 2026 16:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Development: In Review

Development

Successfully merging this pull request may close these issues.

2 participants