Files
uv/.github/workflows
Zanie Blue b9abe15562 Add SBOM attestations to Docker images (#18252)
Adds SBOM attestations
https://docs.docker.com/build/metadata/attestations/sbom/

Requires https://github.com/rust-secure-code/cargo-auditable/pull/236
for our uv binaries and their dependencies to be included in the SBOM

You can inspect the SBOM with, e.g.:

```
docker buildx imagetools inspect ghcr.io/astral-sh/uv-dev:sha-ece6427 --format '{{json .SBOM}}' | jq
docker buildx imagetools inspect ghcr.io/astral-sh/uv-dev:sha-ece6427-python3.9-trixie --format '{{json .SBOM}}' | jq
```

Also explicitly sets
https://docs.docker.com/build/metadata/attestations/slsa-provenance/#max
but there appears to be no change as all of the max SLSA data is already
present.
2026-03-03 12:14:06 -06:00
..