moby · crazy-max · Mar 20, 2026 · Mar 19, 2026
diff --git a/.github/workflows/update-tuf-roots.yml b/.github/workflows/update-tuf-roots.yml
@@ -0,0 +1,41 @@
+name: update-tuf-roots
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 10 * * *'
+  push:
+    branches:
+      - 'main'
+
+jobs:
+  update-tuf-roots:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v6
+      -
+        name: Build
+        uses: docker/bake-action@v7
+        with:
+          source: .
+          targets: tuf-root
+        env:
+          ROOT_SIGNING_VERSION: main
+      -
+        name: Commit changes
+        run: |
+          git add -A .
+      -
+        name: Create PR
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0  # v8.1.0
+        with:
+          base: main
+          branch: bot/update-tuf-roots
+          commit-message: "chore: update tuf roots"
+          signoff: true
+          delete-branch: true
+          body: |
+            Update sigstore tuf roots to keep in sync with [https://www.github.com/sigstore/root-signing](https://www.github.com/sigstore/root-signing).
+          draft: false
diff --git a/Dockerfile b/Dockerfile
@@ -1,26 +1,50 @@
-# syntax=docker/dockerfile:1.19-labs
+# syntax=docker/dockerfile:1
 
 ARG ALPINE_VERSION=3.22
-ARG ROOT_SIGNING_VERSION=main
 ARG GOLANG_VERSION=1.25
 ARG XX_VERSION=1.8.0
-ARG DOCKER_HARDENED_IMAGES_KEYRING_VERSION=main
+
+ARG ROOT_SIGNING_VERSION=975f28e3597a34098a7c0c07edc16f47420b9aa3
+
+ARG DOCKER_HARDENED_IMAGES_KEYRING_VERSION=04ae44966821da8e5cdcb4c51137dee69297161a
+
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
+
+FROM alpine:${ALPINE_VERSION} AS base
+RUN apk add --no-cache file git
 
 FROM scratch AS sigstore-root-signing
 ARG ROOT_SIGNING_VERSION
-ADD https://www.github.com/sigstore/root-signing.git#${ROOT_SIGNING_VERSION} /
+ADD --keep-git-dir=true "https://www.github.com/sigstore/root-signing.git#${ROOT_SIGNING_VERSION}" /
 
 FROM scratch AS tuf-root
 COPY --from=sigstore-root-signing metadata/root.json metadata/snapshot.json metadata/timestamp.json metadata/targets.json /
 COPY --parents --from=sigstore-root-signing targets/trusted_root.json /
 
-FROM alpine:${ALPINE_VERSION} AS validate-tuf-root
+FROM base AS tuf-root-update-work
+RUN --mount=type=bind,target=/src \
+    --mount=type=bind,from=sigstore-root-signing,target=/sigstore-root-signing \
+    --mount=type=bind,from=tuf-root,target=/a \
+    --mount=type=bind,source=roots/tuf-root,target=/b <<EOT
+  set -eu
+  if ! diff -ruN /a /b; then
+    mkdir -p /out/roots/tuf-root
+    cp /src/Dockerfile /out/Dockerfile
+    cp -R /a/. /out/roots/tuf-root
+    sha="$(git -C /sigstore-root-signing log -n1 --format=%H -- metadata/root.json metadata/snapshot.json metadata/timestamp.json metadata/targets.json targets/trusted_root.json)"
+    echo "Updating ROOT_SIGNING_VERSION in Dockerfile to ${sha}"
+    sed -i -E 's|^ARG ROOT_SIGNING_VERSION=.*$|ARG ROOT_SIGNING_VERSION='"${sha}"'|' /out/Dockerfile
+  fi
+EOT
+
+FROM scratch AS tuf-root-update
+COPY --from=tuf-root-update-work /out /
+
+FROM base AS validate-tuf-root
 RUN --mount=type=bind,from=tuf-root,target=/a \
     --mount=type=bind,source=roots/tuf-root,target=/b \
     diff -ruN /a /b
 
-FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
-
 FROM scratch AS dhi-keyring
 ARG DOCKER_HARDENED_IMAGES_KEYRING_VERSION
 ADD https://www.github.com/docker-hardened-images/keyring.git#${DOCKER_HARDENED_IMAGES_KEYRING_VERSION} /

diff --git a/docker-bake.hcl b/docker-bake.hcl
@@ -1,15 +1,11 @@
 variable "ROOT_SIGNING_VERSION" {
-    type    = string
-    # default = "8842feefbb65effea46ff4a0f2b6aad91e685fe9" # expired root
-    # default = "9d8b5c5e3bed603c80b57fcc316b7a1af688c57e" # expired timestamp
-    default = "975f28e3597a34098a7c0c07edc16f47420b9aa3"
-    description = "The git commit hash of sigstore/root-signing to use for embedded roots."
+  description = "The git commit hash of sigstore/root-signing to use for embedded roots."
+  default = null
 }
 
 variable "DOCKER_HARDENED_IMAGES_KEYRING_VERSION" {
-    type    = string
-    default = "04ae44966821da8e5cdcb4c51137dee69297161a"
-    description = "The git branch or commit hash of docker-hardened-images/keyring to use for DHI verification."
+  description = "The git branch or commit hash of docker/hardened-images/keyring to use for DHI verification."
+  default = null
 }
 
 target "_common" {
@@ -19,10 +15,10 @@ target "_common" {
 }
 
 target "tuf-root" {
-    target = "tuf-root"
+    target = "tuf-root-update"
     output = [{
         type = "local",
-        dest = "roots/tuf-root"
+        dest = "."
     }]
     args = {
         ROOT_SIGNING_VERSION = ROOT_SIGNING_VERSION