Provide instructions how to replace docker-ci-scripts with official workflows.
Opened this issue · 2 comments
The official docker build-push-action now also supports SBOM (with syft) and generating provenance (with SLSA).
https://github.com/docker/build-push-action#inputs
Provide alternative for docker-ci-scripts in example / re-usable workflows so people can start using the official docker github actions.
Rationale
SSSC is now integrated in docker/build-push-action
The value of docker-ci-scripts for having everything in one action is now reduced. Previous build pipelines were very long if you wanted to do proper Secure Software Supply Chain stuff like Signing with CoSign, SBOM with Syft and Provenance with SLSA.
Now creating the SBOM and Provenance is done in docker/build-push-action including installing the correct versions, so this will make the workflow a lot more clear.
Multiple tags
Having an easy way of generating multiple versions for a container f.e. latest, v1, v1.1, and v1.1.8 can now be done with https://github.com/docker/metadata-action
We might use https://github.com/charmbracelet/vhs-action to make it more appealing.
As of Buildx release v0.10.0 slsa / sbom and signing are included by default. So the need for docker-ci-scripts are becoming less and less important.