Skip to content

feat(build, oci): add commands to manage oci artifacts#162

Open
reyreavman wants to merge 7 commits into
mainfrom
feat/oci/commands-to-manage-oci-artifacts
Open

feat(build, oci): add commands to manage oci artifacts#162
reyreavman wants to merge 7 commits into
mainfrom
feat/oci/commands-to-manage-oci-artifacts

Conversation

@reyreavman

Copy link
Copy Markdown
Collaborator

No description provided.

@reyreavman
reyreavman force-pushed the feat/oci/commands-to-manage-oci-artifacts branch 8 times, most recently from 18be74f to a2a40fb Compare July 9, 2026 12:28
@nervgh
nervgh force-pushed the feat/oci/commands-to-manage-oci-artifacts branch 2 times, most recently from a2a40fb to dc56c4d Compare July 13, 2026 15:41
Comment thread cmd/werf/attest/get/get.go Outdated
Comment thread docs/pages_en/reference/cli/werf_attest_verify.md
Comment thread pkg/attestation/dsse_test.go Outdated
Comment thread pkg/attestation/keys.go
Comment thread pkg/attestation/integration_test.go Outdated
Comment thread test/e2e/attest/_fixtures/simple/Dockerfile Outdated
Comment thread test/e2e/attest/lifecycle_test.go
Comment thread pkg/attestation/keys.go
@reyreavman
reyreavman force-pushed the feat/oci/commands-to-manage-oci-artifacts branch 2 times, most recently from e520696 to f08f1f4 Compare July 15, 2026 08:06
New pkg/attestation/ package with DSSE signing, in-toto v1 wrapping,
well-known predicate types (openvex, cyclonedx, spdxjson, slsaprovenance),
and CLI commands for creating, retrieving, verifying, and listing
OCI attestations attached to container images.

Migrated pkg/sbom/image/dsse.go to delegate to pkg/attestation/.
Added e2e test suite under test/e2e/attest/.

Signed-off-by: Radmir Khurum <radmir.khurum@flant.com>
- Extract PredicateTypeHelp() from WellKnownPredicateTypes map and use
  it in all --type flag descriptions instead of hardcoded string
- Use Ginkgo SpecContext instead of context.Background() in unit tests
- Replace alpine:3.20 with registry.werf.io/base/alpine:3.21 in e2e fixture

Signed-off-by: Radmir Khurum <radmir.khurum@flant.com>
Signed-off-by: Radmir Khurum <radmir.khurum@flant.com>
@reyreavman
reyreavman force-pushed the feat/oci/commands-to-manage-oci-artifacts branch from f08f1f4 to c2038de Compare July 15, 2026 09:16
- VerifyDSSE now reports how many signatures had invalid base64 encoding
  in the failure message instead of silently skipping them (gap 1)
- HasSignatures returns (bool, error) instead of silently returning false
  on malformed envelope JSON; ls.go propagates the error (gap 3)
- Add integration tests for Attach/PullFallbackIndex against an in-memory
  registry covering attach-without-imageName, dedup, and content round-trip
  (gaps 4, 5)

Signed-off-by: Radmir Khurum <radmir.khurum@flant.com>
@reyreavman
reyreavman force-pushed the feat/oci/commands-to-manage-oci-artifacts branch from 0355b41 to 32c1c64 Compare July 16, 2026 08:33
nervgh and others added 3 commits July 17, 2026 17:06
Signed-off-by: Alexandr Zaytsev <alexandr.zaytsev@flant.com>
Signed-off-by: Alexandr Zaytsev <alexandr.zaytsev@flant.com>
…List

- --image help said "(required)" but the flag is optional by design
  (identity is the parent digest; imageName is only an index annotation
  disambiguating images that share a digest). Fix the help text; do not
  add validation. Regenerate CLI docs.
- List() fetched content via GetAttachedContentAny on every iteration,
  so Signed/PredicateType reflected only the first DSSE artifact when an
  image had multiple attestations. Add OCIStore.GetContentByDigest and
  fetch each entry by its own descriptor digest.

Signed-off-by: Radmir Khurum <radmir.khurum@flant.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants