jedarden/pdftract
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
pdftract/notes/pdftract-68pe.md
jedarden c335423468 docs(pdftract-68pe): update verification note with OIDC improvements 
Documents the enhancements made to cosign keyless signing:
- Projected service account token with sigstore audience
- Explicit OIDC issuer URL configuration
- Improved digest extraction with fallback strategies

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-20 19:27:08 -04:00

3.3 KiB
Raw Blame History

Verification Note: pdftract-68pe

Summary

Created pdftract-docker-build WorkflowTemplate for building 3 multi-arch Docker images (latest, ocr, full) for amd64 + arm64, pushed to GHCR with cosign keyless signatures.

Artifacts Created

1. Dockerfile (pdftract repo)

  • File: /home/coding/pdftract/Dockerfile
  • Commit: 79f13c9 (pdftract repo)
  • Features:
    • Multi-stage build with builder stage using Debian slim
    • Runtime stage conditional on FEATURES build-arg
    • default variant uses gcr.io/distroless/cc-debian12 (~20 MB target)
    • ocr and full variants use debian:bookworm-slim with Tesseract (~120-140 MB target)
    • LICENSE files copied to /usr/share/doc/pdftract/

2. WorkflowTemplate (declarative-config repo)

  • File: /home/coding/declarative-config/k8s/iad-ci/argo-workflows/pdftract-docker-build.yaml
  • Commit: b6d0ccf (declarative-config repo)
  • Templates:
    • setup: Clone repo at tag
    • build-multi-arch: Build and push multi-arch images using docker buildx
    • sign-image: Sign multi-arch manifest lists with cosign keyless OIDC
  • DAG: Build all 3 variants in parallel, then sign each

Acceptance Criteria Status

PASS

  • WorkflowTemplate file lands at k8s/iad-ci/argo-workflows/pdftract-docker-build.yaml in jedarden/declarative-config
  • Template builds 3 image variants (latest, ocr, full)
  • Each variant is multi-arch (linux/amd64, linux/arm64)
  • Uses docker buildx with QEMU emulation for cross-platform builds
  • Pushes to ghcr.io/jedarden/pdftract with version and floating tags
  • Includes cosign signing template with keyless OIDC
  • Uses ghcr-registry secret for GHCR authentication
  • Uses github-pat-pdftract secret for repo access
  • Dockerfile supports FEATURES build-arg for variant selection

WARN (Infrastructure / Test-time limitations)

  • [!] Manual testing required: Workflow has not been executed on iad-ci cluster yet

    • Reason: No test run performed (requires cluster access and GHCR secret setup)
    • Mitigation: Template structure follows existing patterns (miroir-release, botburrow-agents-build)
    • Next step: Submit test workflow via kubectl create -f on milestone tag

  • [!] GHCR secret verification pending: ghcr-registry secret existence not verified

    • Reason: kubectl not available in this environment
    • Mitigation: Secret referenced by existing templates (botburrow-agents-build)
    • Next step: Verify secret exists in argo-workflows namespace before first run

FAIL

  • (none)

Improvements Made (2026-05-20)

Enhanced the cosign keyless signing implementation with proper OIDC integration:

  1. Added OIDC token volume: Projected service account token with audience: sigstore
  2. Explicit OIDC issuer configuration: COSIGN_OIDC_ISSUER=https://iad-ci-oidc.ardenone.com
  3. Improved digest extraction: Multiple fallback strategies (JSON parsing → crane → docker manifest inspect)
  4. Proper volume mount: OIDC token mounted at /var/run/secrets/tokens/oidc-token

These changes ensure the workflow properly uses the iad-ci cluster's OIDC identity for Sigstore keyless signing.

References

  • Plan section: Release Engineering / Argo WorkflowTemplates, line 3392
  • Plan section: Artifact Taxonomy, line 3358
  • Plan section: Signing and Provenance, line 3403
  • ADR-009 (Argo only)
  • Bead: pdftract-68pe