Installing all the packages needed to build (multiplatform) binaries for a C application is time consuming, so that work happens here, and the image can then be used to accelerate builds elsewhere.
The Docker images created from this repo have SLSA Build Level 3 attestations.
These can be verified using the slsa-verifier tool e.g.:
CMAKE_VERSION="3.30.2"
IMAGE="atsigncompany/cbuildimage"
SHA=$(docker buildx imagetools inspect ${IMAGE}:CMake-${CMAKE_VERSION} \
--format "{{json .Manifest}}" | jq -r .digest)
slsa-verifier verify-image ${IMAGE}@${SHA} --source-uri \
github.com/atsign-company/at_c_buildimage --source-tag c${CMAKE_VERSION}The Docker images created from this repo are signed during the build process so that you can verify their authenticity using cosign:
cosign verify atsigncompany/cbuildimage:latest \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity-regexp='^https://github.com/atsign-company/at_c_buildimage/.+'