feat: Add ability to attest the supplied multi-arch image

.github/workflows/generator_container_slsa3.yml

@@ -87,6 +87,11 @@ on:
         description: "If set, provenance is pushed to this registry instead of image registry."
         required: false
         type: string
+      recursive:
+        description: "If set, for the specified multi-arch image, additionally sign each discrete image."
+        required: false
+        type: boolean
+        default: false
     outputs:
       # Note: we use this output because there is no buildt-in `outcome` and `result` is always `success`
       # if `continue-on-error` is set to `true`.
@@ -268,6 +273,7 @@ jobs:
           GITHUB_CONTEXT: "${{ toJSON(github) }}"
           VARS_CONTEXT: "${{ toJSON(vars) }}"
           UNTRUSTED_PROVENANCE_REPOSITORY: "${{ inputs.provenance-repository }}"
+          RECURSIVE: "${{ inputs.recursive }}"
         run: |
           set -euo pipefail
 
@@ -283,6 +289,7 @@ jobs:
           cosign attest --predicate="$predicate_name" \
             --type slsaprovenance \
             --yes \
+            --recursive="${RECURSIVE}" \
             "${UNTRUSTED_IMAGE}@${UNTRUSTED_DIGEST}"
 
       - name: Final outcome

CHANGELOG.md

@@ -11,6 +11,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - [Unreleased](#unreleased)
   - [Unreleased: Vars context recorded in provenance](#unreleased-vars-context-recorded-in-provenance)
+    - [Container generator](#container-generator)
+      - [New Features](#new-features)
 - [v2.0.0](#v200)
   - [v2.0.0: Breaking Change: upload-artifact and download-artifact](#v200-breaking-change-upload-artifact-and-download-artifact)
   - [v2.0.0: Breaking Change: attestation-name Workflow Input and Output](#v200-breaking-change-attestation-name-workflow-input-and-output)
@@ -33,19 +35,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - [v1.6.0](#v160)
   - [Summary of changes](#summary-of-changes)
     - [Go builder](#go-builder)
-      - [New Features](#new-features)
-    - [Generic generator](#generic-generator)
       - [New Features](#new-features-1)
-    - [Container generator](#container-generator)
+    - [Generic generator](#generic-generator)
+      - [New Features](#new-features-2)
+    - [Container generator](#container-generator-1)
   - [Changelog since v1.5.0](#changelog-since-v150)
 - [v1.5.0](#v150)
   - [Summary of changes](#summary-of-changes-1)
     - [Go builder](#go-builder-1)
-      - [New Features](#new-features-2)
-    - [Generic generator](#generic-generator-1)
       - [New Features](#new-features-3)
-    - [Container generator](#container-generator-1)
+    - [Generic generator](#generic-generator-1)
       - [New Features](#new-features-4)
+    - [Container generator](#container-generator-2)
+      - [New Features](#new-features-5)
   - [Changelog since v1.4.0](#changelog-since-v140)
 - [v1.4.0](#v140)
   - [What's Changed](#whats-changed)
@@ -112,6 +114,12 @@ duplication."
   container generators. The `vars` context cannot affect the build in the Go
   builder so it is not recorded.
 
+#### Container generator
+
+##### New Features
+
+- A new [`recursive`](https://github.com/slsa-framework/slsa-github-generator/blob/v1.5.0/internal/builders/container/README.md#workflow-inputs) input was added to allow users to pass `--recursive` option to the provenance attestation, usefull when signing `multi-arch` images.
+
 ## v2.0.0
 
 ### v2.0.0: Breaking Change: upload-artifact and download-artifact

internal/builders/container/README.md

@@ -216,6 +216,7 @@ Inputs:
 | `gcp-service-account`            | Email address or unique identifier of the Google Cloud service account for which to generate credentials. For example:<br>`[email protected]`                                                                                                       |
 | `provenance-registry-username`   | Username when publishing to provenance registry (option 'provenance-registry') instead of image registry. Either `provenance-registry-username` input or `provenance-registry-username` secret is required.                                                                             |
 | `provenance-registry`            | If set, provenance is pushed to this registry instead of image registry. (e.g. `gcr.io/my-new-repo`)                                                                                                                                                                                    |
+| `recursive`                      | If set, attestation is performed recursively on the image. Usefull when a multi-arch image is used.                                                                                                                                                                                     |
 
 Secrets: