This runbook covers operational procedures for the image attestation and SBOM infrastructure.
During a normal release, the following occurs automatically:
- Build: Multi-architecture images are built for
linux/amd64andlinux/arm64 - Push: Images are pushed to GHCR and Docker Hub
- Attest: Build provenance attestation is created via
actions/attest-build-provenance - SBOM: Syft generates an SPDX-JSON SBOM
- Scan: Grype scans for vulnerabilities (fails on critical)
- SBOM Attest: The SBOM is attested to the image via
actions/attest-sbom
All steps must succeed for the release to complete.
Monitor the CI/CD pipeline for attestation and scanning jobs:
Look for these steps in the publish jobs:
Attest build provenanceAttest SBOM/sbom-scan
Verify attestations are being created:
gh attestation verify oci://ghcr.io/midnight-ntwrk/midnight-node:TAG --owner midnightntwrkAttest build provenancestep fails- Error: "Error: Unauthorized" or "Error: Resource not accessible by integration"
- Review workflow logs for specific error messages
- Verify the workflow has
id-token: writeandattestations: writepermissions - Check GitHub status at https://www.githubstatus.com/
Permission issue:
Ensure the workflow job has the required permissions:
permissions:
id-token: write
attestations: writeTransient failure (GitHub outage):
Re-run the failed job. Check GitHub status at https://www.githubstatus.com/.
Registry authentication failure:
Verify registry credentials are configured in repository secrets:
MIDNIGHTCI_PACKAGES_WRITEfor GHCRDOCKERHUB_MIDNIGHTNTWRK_USERandDOCKERHUB_MIDNIGHTNTWRK_TOKENfor Docker Hub
sbom-scanjob fails during "Generate SBOM" step- Error: "failed to catalog"
- Check if the image exists and is accessible
- Review Syft error output for specific failures
- Check for timeout issues on large images
Image not found:
Ensure the image was pushed successfully before the SBOM job runs. Check job dependencies in the workflow.
Timeout:
Large images may timeout. The script retries 3 times with exponential backoff.
Unsupported image format:
Syft supports OCI and Docker image formats. Verify the image is in a supported format.
sbom-scanjob fails during "Scan for vulnerabilities" step- Output shows vulnerabilities with critical severity
- Review the vulnerability summary in the job output
- Download the
*-scan-resultsartifact for full details - Check if vulnerabilities are in base images or application code
Option 1: Fix the vulnerability
Update the affected package to a patched version:
# For apt packages
RUN apt-get update && apt-get install -y package-name=fixed-version
# For npm packages
RUN npm update vulnerable-package
# For Rust packages
# Update Cargo.lock with patched versionOption 2: Temporarily ignore (with justification)
If no fix is available, add to .grype.yaml:
ignore:
# CVE-YYYY-XXXXX: Description of vulnerability
# Impact assessment: Explain why this is acceptable to ignore
# Affected component: What package/binary is affected
# Tracking: https://github.com/upstream/repo/issues/XXX
# TODO: Remove when upstream releases fix
- vulnerability: CVE-YYYY-XXXXXRequirements for ignoring vulnerabilities:
- Document the CVE ID and description
- Assess and document the risk/impact
- Link to upstream tracking issue
- Add TODO with removal criteria
- Create a tracking issue in this repository
sbom-scanjob fails during "Attest SBOM" step- Error: "Error: Unauthorized"
- Verify the image digest is correct
- Check that the job has
attestations: writepermission - Check GitHub status
Same as attestation failures — ensure id-token: write and attestations: write permissions are set.
Fork PR:
Attestation is automatically skipped for fork PRs (they don't have the required permissions). This is expected behavior.
sbom-scanjob fails during "Attest SBOM" step- Error:
predicate file exceeds maximum allowed size: 16777216 bytes
- Check the "Trim SBOM for attestation" step output for size details
- If the trimmed SBOM exceeds 16MB, the image has grown significantly in package count
- Consider stripping additional optional SPDX fields (e.g.,
annotations,externalDocumentRefs) - Review whether the base image can be slimmed down to reduce package count
- Track upstream progress on increasing the limit: actions/attest-sbom#168
- Assess the vulnerability:
grype ghcr.io/midnight-ntwrk/midnight-node:TAG --output json | jq '.matches[] | select(.vulnerability.id == "CVE-YYYY-XXXXX")' - Create tracking issue documenting CVE ID, severity, affected component, impact assessment, and upstream fix status
- Add to
.grype.yamlwith required comments (see "Option 2" above for format) - Create PR referencing the tracking issue
When a fix becomes available: update the package, remove the ignore entry, close the tracking issue, and create a PR with all changes.
- Assess which versions/deployments are affected
- Alert operators via appropriate channels
- Create hotfix release or document mitigation steps
- Push fixed images through normal pipeline
Check status at https://www.githubstatus.com/. If attestation steps fail due to a GitHub outage, the build will fail — images cannot be published without attestations. Wait for the outage to resolve and re-run the workflow.
- Image Signing Overview - Architecture and implementation
- Verification Guide - How to verify attestations
- Release Checklist - Release procedures