Add release workflow

Author: kvinwang

.github/workflows/release.yml

@@ -0,0 +1,99 @@
+name: Sysbox Installer Release
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - 'v*'
+permissions:
+  attestations: write
+  id-token: write
+  contents: write
+  packages: write
+
+jobs:
+  build-and-release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Parse version from tag or generate timestamp
+        run: |
+          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            VERSION=$(date -u +%Y%m%d%H%M%S)
+            echo "Manual trigger - using timestamp: $VERSION"
+          else
+            VERSION=${GITHUB_REF#refs/tags/v}
+            echo "Tag trigger - parsed version: $VERSION"
+          fi
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Record Git revision
+        run: |
+          echo "GIT_REV=$(git rev-parse HEAD)" >> $GITHUB_ENV
+
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: docker/Dockerfile
+          push: true
+          tags: ${{ vars.DOCKERHUB_ORG }}/dstack-sysbox-installer:${{ env.VERSION }}
+          platforms: linux/amd64
+          provenance: false
+          build-args: |
+            DSTACK_REV=${{ env.GIT_REV }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: "docker.io/${{ vars.DOCKERHUB_ORG }}/dstack-sysbox-installer"
+          subject-digest: ${{ steps.build-and-push.outputs.digest }}
+          push-to-registry: true
+
+      - name: GitHub Release
+        uses: softprops/action-gh-release@v1
+        with:
+          name: "Sysbox Installer Release v${{ env.VERSION }}"
+          body: |
+            ## Docker Image Information
+
+            **Image**: `docker.io/${{ vars.DOCKERHUB_ORG }}/dstack-sysbox-installer:${{ env.VERSION }}`
+
+            **Digest (SHA256)**: `${{ steps.build-and-push.outputs.digest }}`
+
+            **Verification**: [Verify on Sigstore](https://search.sigstore.dev/?hash=${{ steps.build-and-push.outputs.digest }})
+
+            ## Installation
+
+            ```bash
+            docker run --rm --privileged --pid=host --net=host -v /:/host \
+              docker.io/${{ vars.DOCKERHUB_ORG }}/dstack-sysbox-installer:${{ env.VERSION }}
+            ```
+
+            ## Verify Image Attestation
+
+            ```bash
+            # Install cosign
+            curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64"
+            sudo mv cosign-linux-amd64 /usr/local/bin/cosign
+            sudo chmod +x /usr/local/bin/cosign
+
+            # Verify the image
+            cosign verify-attestation \
+              --type https://slsa.dev/provenance/v1 \
+              --certificate-identity-regexp "^https://github.com/${{ github.repository }}/.github/workflows/release.yml@refs/tags/v${{ env.VERSION }}$" \
+              --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+              docker.io/${{ vars.DOCKERHUB_ORG }}/dstack-sysbox-installer@${{ steps.build-and-push.outputs.digest }}
+            ```

README.md

@@ -146,6 +146,44 @@ rm -rf /dstack/persistent/sysbox-*
 - dstack system with ZFS persistent storage
 - systemd for service management
 
+## Release and Verification
+
+### Creating a Release
+
+Releases are automated via GitHub Actions with sigstore attestation:
+
+1. Tag a new version:
+   ```bash
+   git tag v1.0.0
+   git push origin v1.0.0
+   ```
+
+2. The workflow will automatically:
+   - Build the Docker image
+   - Push to Docker Hub
+   - Generate sigstore attestation
+   - Create a GitHub release
+
+### Verifying Image Attestation
+
+All released images are signed with sigstore for supply chain security:
+
+```bash
+# Install cosign
+curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64"
+sudo mv cosign-linux-amd64 /usr/local/bin/cosign
+sudo chmod +x /usr/local/bin/cosign
+
+# Verify the image (replace VERSION and DIGEST)
+cosign verify-attestation \
+  --type https://slsa.dev/provenance/v1 \
+  --certificate-identity-regexp "^https://github.com/YOUR_ORG/dstack-sysbox-installer/.github/workflows/release.yml@refs/tags/vVERSION$" \
+  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+  docker.io/YOUR_ORG/dstack-sysbox-installer@sha256:DIGEST
+```
+
+You can also verify on [Sigstore Search](https://search.sigstore.dev/).
+
 ## Support
 
 For issues with the installer, check:

docker/Dockerfile

@@ -77,11 +77,15 @@ COPY scripts/sysbox-fs.service /usr/local/share/sysbox-fs.service
 # Make everything executable
 RUN chmod +x /usr/local/bin/*
 
+# Build metadata arguments (final stage)
+ARG DSTACK_REV
+
 # Create build info
 RUN echo "Sysbox Installer Image" > /usr/local/share/BUILD_INFO && \
     echo "Built: $(date)" >> /usr/local/share/BUILD_INFO && \
     echo "Sysbox: $(/usr/local/bin/sysbox-mgr --version | head -1)" >> /usr/local/share/BUILD_INFO && \
-    echo "rsync: $(/usr/local/bin/rsync --version | head -1)" >> /usr/local/share/BUILD_INFO
+    echo "rsync: $(/usr/local/bin/rsync --version | head -1)" >> /usr/local/share/BUILD_INFO && \
+    echo "Git Revision: ${DSTACK_REV:-unknown}" >> /usr/local/share/BUILD_INFO
 
 WORKDIR /workspace