ci(auth): update CAR-1446 comment with empirical OCI referrers proof
CI / build-and-push (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / build-and-push (push) Failing after 11m7s
CI / deploy-uat (push) Has been skipped
CI / deploy-dev (push) Successful in 3s
CI / build-and-push (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / build-and-push (push) Failing after 11m7s
CI / deploy-uat (push) Has been skipped
CI / deploy-dev (push) Successful in 3s
This commit is contained in:
@@ -84,11 +84,14 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
context: .
|
context: .
|
||||||
push: true
|
push: true
|
||||||
# CAR-1446: git.farh.net does not support OCI referrers (distribution spec
|
# CAR-1446: git.farh.net does not implement the OCI referrers API.
|
||||||
# >=1.1 required for attestation push). Enabling provenance:true/sbom:true
|
# Verified 2026-06-23: GET /v2/cartsnitch/auth/referrers/{digest} →
|
||||||
# would cause the push to fail on the referrer PUT. The Grype scan step
|
# HTTP 404 "page not found" (plain proxy 404, not an OCI error — the path
|
||||||
# above is the compensating control — it fails the build on any unfixed
|
# does not exist in this Gitea registry version). OCI Distribution Spec
|
||||||
# high-severity CVE before the image reaches the registry.
|
# >=1.1 is required for provenance/SBOM attestation manifests; without it
|
||||||
|
# the docker/build-push-action would fail at the attestation PUT.
|
||||||
|
# Compensating control: the Grype scan step above fails the build on any
|
||||||
|
# unfixed HIGH-severity CVE before the image reaches the registry.
|
||||||
provenance: false
|
provenance: false
|
||||||
sbom: false
|
sbom: false
|
||||||
tags: ${{ steps.meta.outputs.tags }}
|
tags: ${{ steps.meta.outputs.tags }}
|
||||||
|
|||||||
Reference in New Issue
Block a user