Context
.github/workflows/release-image.yml publishes the runner image to GHCR as a verified multi-arch manifest (linux/amd64 + linux/arm64) and creates a GitHub Release, but the image itself is not signed and ships without an SBOM or build provenance attestation.
The org CI/CD audit (docs/omt-global-ci-cd-audit-2026-04-14.md) names this repo as the release-isolation reference and Wave 5 asks us to "Generalize the github-runner-fleet release isolation pattern." Operator-facing signing closes that loop and lines up with the org's gh-attest direction.
Scope
- Add keyless cosign signing (
sigstore/cosign-installer + cosign sign) for the multi-arch image manifest and per-architecture digests after the existing publish step.
- Generate and publish an SBOM (e.g.
anchore/sbom-action producing SPDX) attached to the image via cosign attest.
- Emit SLSA build provenance via
actions/attest-build-provenance for both the image and any release tarballs.
- Add a verification step in the same workflow (or a follow-up smoke job) that runs
cosign verify against the just-published digest before the release tag is created.
- Document the verification command in
README.md so downstream consumers can validate the image they pulled.
Acceptance Criteria
- A maintainer can run
cosign verify ghcr.io/omt-global/github-runner-fleet:<tag> --certificate-identity-regexp ... --certificate-oidc-issuer https://token.actions.githubusercontent.com and get a green result.
cosign verify-attestation returns an SPDX SBOM and an SLSA provenance statement for the same digest.release-image.yml fails closed if signing, SBOM upload, or provenance attestation fails.- README documents the verify command and the OIDC identity to trust.
Related
- Audit doc:
docs/omt-global-ci-cd-audit-2026-04-14.md (Wave 5)
SECURITY.md — supply-chain posture for runner-host images
Context
.github/workflows/release-image.ymlpublishes the runner image to GHCR as a verified multi-arch manifest (linux/amd64+linux/arm64) and creates a GitHub Release, but the image itself is not signed and ships without an SBOM or build provenance attestation.The org CI/CD audit (
docs/omt-global-ci-cd-audit-2026-04-14.md) names this repo as the release-isolation reference and Wave 5 asks us to "Generalize thegithub-runner-fleetrelease isolation pattern." Operator-facing signing closes that loop and lines up with the org'sgh-attestdirection.Scope
sigstore/cosign-installer+cosign sign) for the multi-arch image manifest and per-architecture digests after the existing publish step.anchore/sbom-actionproducing SPDX) attached to the image viacosign attest.actions/attest-build-provenancefor both the image and any release tarballs.cosign verifyagainst the just-published digest before the release tag is created.README.mdso downstream consumers can validate the image they pulled.Acceptance Criteria
cosign verify ghcr.io/omt-global/github-runner-fleet:<tag> --certificate-identity-regexp ... --certificate-oidc-issuer https://token.actions.githubusercontent.comand get a green result.cosign verify-attestationreturns an SPDX SBOM and an SLSA provenance statement for the same digest.release-image.ymlfails closed if signing, SBOM upload, or provenance attestation fails.Related
docs/omt-global-ci-cd-audit-2026-04-14.md(Wave 5)SECURITY.md— supply-chain posture for runner-host images