chore: Bump stackabletech/actions to v0.16.0 and add SLSA provenance#1559
Open
dervoeti wants to merge 4 commits into
Open
chore: Bump stackabletech/actions to v0.16.0 and add SLSA provenance#1559dervoeti wants to merge 4 commits into
dervoeti wants to merge 4 commits into
Conversation
NickLarsenNZ
reviewed
Jul 1, 2026
NickLarsenNZ
left a comment
Member
There was a problem hiding this comment.
Is that all stackabletech/actions/* being bumped?
We do try to keep them all at the same level (to make search/replace bumps easier).
Member
Ahh ignore me, the workflows use the reusable one. So I assume they are all updated. |
…into chore/bump-actions-v0.16.0
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Bumps all
stackabletech/actionsreferences to v0.16.0 and generates SLSA build provenance for every published multi-arch image index viaslsa-github-generator, attested to the image in each registry (oci.stackable.tech and quay.io).How it works
publish_manifestsis a version matrix, GitHub matrix jobs cannot expose per-leg outputs (they overwrite each other).I had to do work around this using artifacts:
publish_manifestsleg records its oci/quay index manifest digests as aprovenance-digests-<version>artifact.collect-provenance-matrixassembles the artifacts into a matrix (via include, one entry per version and registry).provenancejob feeds each entry toslsa-github-generator, selecting the registry password per entry.Example:
Two
digests.jsonartifacts collected:{"version": "3.4.1", "oci_digest": "sha256:aaa...", "quay_digest": "sha256:bbb..."} {"version": "3.3.6", "oci_digest": "sha256:ccc...", "quay_digest": "sha256:ddd..."}Results in this matrix:
{ "include": [ { "registry": "oci.stackable.tech", "image": "oci.stackable.tech/sdp/hadoop", "digest": "sha256:aaa...", "username": "robot$sdp+github-action-build" }, { "registry": "quay.io", "image": "quay.io/stackable/sdp/hadoop", "digest": "sha256:bbb...", "username": "stackable+robot_sdp_github_action_build" }, { "registry": "oci.stackable.tech", "image": "oci.stackable.tech/sdp/hadoop", "digest": "sha256:ccc...", "username": "robot$sdp+github-action-build" }, { "registry": "quay.io", "image": "quay.io/stackable/sdp/hadoop", "digest": "sha256:ddd...", "username": "stackable+robot_sdp_github_action_build" } ] }For more details on SLSA generation itself, see the description of stackabletech/operator-templating#602
Definition of Done Checklist
Note
Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant.
Please make sure all these things are done and tick the boxes
TIP: Running integration tests with a new product image
The image can be built and uploaded to the kind cluster with the following commands:
See the output of
boilto retrieve the image manifest URI for<MANIFEST_URI>.