docs: new article for demonstrating zot workflow with artifacts #125
Conversation
docs/articles/workflow.md
Outdated
| @@ -0,0 +1,294 @@ | |||
| # Software Provenance Workflow Using OCI Artifact | |||
docs/articles/workflow.md
Outdated
| @@ -0,0 +1,294 @@ | |||
| # Software Provenance Workflow Using OCI Artifact | |||
|
|
|||
| > :point_right: This article demonstrates an end-to-end workflow for installing a zot registry, pushing and signing an image and artifact, and verifying the results. | |||
There was a problem hiding this comment.
"pushing an image and related artifact (such as an SBOM)"
Drop the ", and verifying..."
docs/articles/workflow.md
Outdated
|
|
||
| ## Workflow | ||
|
|
||
| ### Step 1: Set up the environment and tools |
There was a problem hiding this comment.
Pattern here is maybe ...
For the full script, go here etc
But here is the script broken down with documentation/explanation.
|
Questions: How is REF0 used in the cosign commands in Step 6? Should we show an example of the artifact tree? |
docs/articles/workflow.md
Outdated
|
|
||
| ### Step 1: Set up the environment and tools | ||
|
|
||
| As a first step, we define and create directories, then download binaries for zot, regctl, and cosign. |
docs/articles/workflow.md
Outdated
| COSIGN_VERSION=2.1.1 | ||
| curl -Lo ${COSIGN} https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64 | ||
| chmod +x ${COSIGN} | ||
|
|
There was a problem hiding this comment.
Setup a OCI Registry With Referrers Support (zot)
| {% endraw %} | ||
| ``` | ||
|
|
||
|
|
There was a problem hiding this comment.
Copy an image to the OCI Registry
docs/articles/workflow.md
Outdated
| ``` | ||
|
|
||
|
|
||
| ### Step 4: Copy an artifact to the zot registry |
There was a problem hiding this comment.
Copy a Related Artifact to the OCI Registry
| > :pencil2: If no subject is specified in the command, the artifact is considered independent and not associated with any existing image. | ||
|
|
||
|
|
||
| ### Step 5: Display the artifact tree |
There was a problem hiding this comment.
+ $ regctl artifact tree localhost:8080/busybox:latest
Ref: localhost:8080/busybox:latest
Digest: sha256:9172c5f692f2c65e4f773448503b21dba2de6454bd159905c4bf6d83176e4ea3
Referrers:
- sha256:9c0655368b10ca4b2ffe39e4dd261fb89df25a46ae92d6eb4e6e1792a451883e: application/yaml
There was a problem hiding this comment.
Command output added
| ``` | ||
|
|
||
|
|
||
| ### Step 7: Display the artifact tree |
There was a problem hiding this comment.
Ref: localhost:8080/busybox:latest
Digest: sha256:9172c5f692f2c65e4f773448503b21dba2de6454bd159905c4bf6d83176e4ea3
Referrers:
- sha256:9c0655368b10ca4b2ffe39e4dd261fb89df25a46ae92d6eb4e6e1792a451883e: application/yaml
Referrers:
- sha256:06792b209137486442a2b804b2225c0014e3e238d363cdbea088bbd73207fb34: application/vnd.dev.cosign.artifact.sig.v1+json
- sha256:995b6a78bf04a7a9676dac76b4598ccb645c17e30b02f294de9fdfa2f28eb7b2: application/vnd.dev.cosign.artifact.sig.v1+json
There was a problem hiding this comment.
original image: localhost:8080/busybox:latest
Two direct refererrers:
artifact.yaml sha256:9c0655368b10ca4b2ffe39e4dd261fb89df25a46ae92d6eb4e6e1792a451883e: application/yaml
image signature sha256:995b6a78bf04a7a9676dac76b4598ccb645c17e30b02f294de9fdfa2f28eb7b2: application/vnd.dev.cosign.artifact.sig.v1+json
Second-level referrer for the artifact.yaml
- sha256:06792b209137486442a2b804b2225c0014e3e238d363cdbea088bbd73207fb34: application/vnd.dev.cosign.artifact.sig.v1+json
There was a problem hiding this comment.
Command output and explanation added
| @@ -115,6 +115,7 @@ nav: | |||
| - CI/CD Pipeline: articles/building-ci-cd-pipeline.md | |||
| - Authentication and Authorization: articles/authn-authz.md | |||
| - Verifying Image Signatures: articles/verifying-signatures.md | |||
| - Software Provenance Workflow Using OCI Artifacts: articles/workflow.md | |||
There was a problem hiding this comment.
Add this workflow.md article "link" in What's New (OCI artifacts support) - "See this article to do an end-to-end OCI artifacts workflow"
Signed-off-by: mbshields <[email protected]>
Signed-off-by: mbshields <[email protected]>
Signed-off-by: mbshields <[email protected]>
Signed-off-by: mbshields <[email protected]>
Signed-off-by: mbshields <[email protected]>
Signed-off-by: mbshields <[email protected]>
mbshields
force-pushed
the
docs_mishield_workflow
branch
from
481f7ce to
2da36f9
Compare
ref0 is for the artifact that was uploaded referring to the first container image. |
Signed-off-by: mbshields <[email protected]>
documentation
Which issue does this PR fix:
none
What does this PR do / Why do we need it:
Demonstrates an end-to-end workflow for installing a zot registry, pushing and signing an image and artifact, and verifying the results.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.