sign github actions cache blobs #60
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
crazy-max
force-pushed
the
gha-cache-sign
branch
8 times, most recently
from
9591c5c to
84847ab
Compare
crazy-max
changed the title
crazy-max
force-pushed
the
gha-cache-sign
branch
from
90030b4 to
3408a90
Compare
crazy-max
commented
Dec 15, 2025
.github/workflows/build.yml
Outdated
| env: | ||
| BUILDX_VERSION: "v0.30.1" | ||
| BUILDKIT_IMAGE: "moby/buildkit:v0.26.2" | ||
| BUILDKIT_IMAGE: "crazymax/buildkit:6397" |
Member
Author
There was a problem hiding this comment.
Keep in draft until moby/buildkit#6397 is released
Merged
tonistiigi
reviewed
Dec 18, 2025
| timestampTreshold = 1 | ||
| tlogThreshold = ${{ matrix.tlogUpload && '1' || '0' }} | ||
| subjectAlternativeName = "https://github.com/docker/github-builder-experimental/.github/workflows/bake.yml*" | ||
| issuer = "https://token.actions.githubusercontent.com" |
Member
There was a problem hiding this comment.
Needs to verify source repo, build repo (same as san) and I think also ref (master branch/tag should not verify PR cache)
crazy-max
force-pushed
the
gha-cache-sign
branch
5 times, most recently
from
cd6b852 to
6d3e37f
Compare
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
crazy-max
force-pushed
the
gha-cache-sign
branch
from
6d3e37f to
ff3b622
Compare
crazy-max
commented
Jan 7, 2026
| env: | ||
| BUILDX_VERSION: "v0.30.1" | ||
| BUILDKIT_IMAGE: "moby/buildkit:v0.26.2" | ||
| BUILDKIT_IMAGE: "moby/buildkit:master@sha256:bdefeba47634c596286beabe68219708ed364c4f1a5e4e9a2e160274712a0e89" # TODO: pin to a specific version when signed gha cache feature is available |
Member
Author
There was a problem hiding this comment.
@tonistiigi As discussed pin buildkit image to master
tonistiigi
approved these changes
Jan 7, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
follow-up moby/buildkit#6397
fixes #56
Enabling signing for cache blobs in GHA cache backend protects against tampering of remote cache. The approach used here keeps the implementation isolated, transparent, and cost-effective. Local testing shows that the additional overhead introduced by copying the cosign binary into the builder container is negligible.