Skip to content

build/bake,build: add Chainguard OIDC keyless cgr.dev auth (opt-in)#196

Open
danilohorta wants to merge 3 commits into
docker:mainfrom
danilohorta:feat/chainguard-keyless-auth
Open

build/bake,build: add Chainguard OIDC keyless cgr.dev auth (opt-in)#196
danilohorta wants to merge 3 commits into
docker:mainfrom
danilohorta:feat/chainguard-keyless-auth

Conversation

@danilohorta

@danilohorta danilohorta commented May 11, 2026

Copy link
Copy Markdown

Summary

bake.yml and build.yml currently only accept registry credentials via the static registry-auths secret, so any runtime-minted credential (Chainguard OIDC pull token, GCP WIF, AWS OIDC, …) has to be substituted across the workflow_call boundary, where GitHub's cross-job output masker silently strips values that look like secrets.

This PR adds three opt-in inputs (chainguard-identity, chainguard-apk-host, chainguard-libraries-host) that drive chainguard-dev/setup-chainctl@v0.5.1 inside the build and finalize jobs so the Chainguard pull token is minted on the build runner and never leaves it.

Issue: #146

Add four opt-in inputs to bake.yml and build.yml:
chainguard-identity, chainguard-registry, chainguard-apk-host,
chainguard-libraries-host. When chainguard-identity is set, the
build and finalize jobs install chainctl via
chainguard-dev/setup-chainctl@v0.5.1 and register it as a Docker
credential helper for cgr.dev. The Chainguard pull token is minted
inside the build/finalize job runners and never crosses the
workflow_call boundary into the caller's registry-auths secret,
where it would be silently stripped by GitHub's cross-job output
masker (docker#146 documents the equivalent GCP WIF failure mode).

No existing input changes; registry-auths continues to handle every
static-credential registry as before and can be combined with
chainguard-identity for multi-registry builds.

Refs: docker#146
@danilohorta danilohorta requested a review from a team as a code owner May 11, 2026 14:17
danilohorta added a commit to danilohorta/github-builder that referenced this pull request May 12, 2026
…rtifacts

When bake.yml runs as a reusable workflow on a fork, the OIDC
identity in sigstore certificates and GHA cache signatures is the
fork's path (https://github.com/<fork-owner>/github-builder/...),
not docker/github-builder. The two verify policies in this file
(verifyImageAttestations regex; cache.gha.verify.policy SAN glob)
hardcode docker/github-builder, so any fork's run fails its own
self-verification.

Relax both to also accept this fork (danilohorta/github-builder) so
the chainguard-keyless-auth changes stacked on feat/... can be
exercised end-to-end from PhysicsXLtd/tmp-component-base while
docker#196 is in review.
This branch is the px-internal stacking branch — intentionally not
on feat/chainguard-keyless-auth so PR docker#196 stays a clean upstream
diff. Drop this branch once docker#196 merges and release.yml repins to
the upstream tag.
@gmile

gmile commented May 13, 2026

Copy link
Copy Markdown

Would love to see a similar thing done for GCP WIF. Just saying. Happy to submit PR, provided maintainers are open to that.

@crazy-max

Copy link
Copy Markdown
Member

I think this should be handled through the registry identities work in #243 rather than by adding Chainguard-specific top-level inputs to build.yml and bake.yml.

The problem this PR solves is the same class of problem tracked in #146: registry credentials that are minted at runtime should be created inside GitHub Builder, on the runner that needs them, without passing secret-looking values across the workflow_call boundary.

The intent of #243 is to introduce a generic registry-identities input and keep provider-specific authentication logic pinned and controlled inside GitHub Builder. AWS ECR is the first provider implemented there, but Chainguard should fit the same model as another registry-identities provider instead of adding separate top-level inputs such as chainguard-identity, chainguard-apk-host, and chainguard-libraries-host.

So I think we should preserve the behavior goal from this PR, which is minting the Chainguard pull token on the build/finalize runner and avoiding masked cross-job outputs, but rework the interface on top of registry-identities once #243 lands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants