From 22ff81ce9ae455e8e331a7ff0f6793d74b68b505 Mon Sep 17 00:00:00 2001
From: Juliette Pretot <julsh@google.com>
Date: Mon, 15 Apr 2024 22:48:23 +0000
Subject: [PATCH] add provenance for containers system image

Change-Id: Idd3f7eeb8b4ad6ad368b7829f01ee50b17a309a8
---
 .github/workflows/provenance.yaml             |  1 +
 buildconfigs/oak_containers_system_image.toml | 12 ++++++++++++
 2 files changed, 13 insertions(+)
 create mode 100644 buildconfigs/oak_containers_system_image.toml

diff --git a/.github/workflows/provenance.yaml b/.github/workflows/provenance.yaml
index 736a56b931b..0a2becb5cdb 100644
--- a/.github/workflows/provenance.yaml
+++ b/.github/workflows/provenance.yaml
@@ -28,6 +28,7 @@ jobs:
           - buildconfigs/key_xor_test_app.toml
           - buildconfigs/oak_containers_kernel.toml
           - buildconfigs/oak_containers_stage1.toml
+          - buildconfigs/oak_containers_system_image.toml
           - buildconfigs/oak_echo_enclave_app.toml
           - buildconfigs/oak_echo_raw_enclave_app.toml
           - buildconfigs/oak_functions_enclave_app.toml
diff --git a/buildconfigs/oak_containers_system_image.toml b/buildconfigs/oak_containers_system_image.toml
new file mode 100644
index 00000000000..3f2200cfbb4
--- /dev/null
+++ b/buildconfigs/oak_containers_system_image.toml
@@ -0,0 +1,12 @@
+# This is the static build configuration that we use with the docker-based SLSA3 generator for
+# building the `stage1` binary, and its provenance.
+# See https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/docker.
+command = [
+  "nix",
+  "develop",
+  ".#containers",
+  "--command",
+  "just",
+  "oak_containers_system_image",
+]
+artifact_path = "./oak_containers_system_image/target/image.tar.xz"