From 04a57b62a4403be8519aae752ecb457aad894867 Mon Sep 17 00:00:00 2001 From: John Strunk Date: Wed, 15 May 2024 15:56:53 +0000 Subject: [PATCH] Add attestation for container image Signed-off-by: John Strunk --- .github/workflows/workflow.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml index a0c2da7..b80ab14 100644 --- a/.github/workflows/workflow.yaml +++ b/.github/workflows/workflow.yaml @@ -101,7 +101,9 @@ jobs: needs: [pre-commit, tests] runs-on: ubuntu-latest permissions: + attestations: write # For build attestation contents: read + id-token: write # For build attestation packages: write # Required to push to GitHub Container Registry steps: @@ -147,6 +149,7 @@ jobs: type=raw,value=latest,enable={{is_default_branch}} - name: Build and push Docker image + id: push # https://github.com/docker/build-push-action uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: @@ -166,6 +169,22 @@ jobs: cache-from: type=gha cache-to: type=gha,mode=max + - name: print outputs + run: | + echo "Imageid: ${{ steps.push.outputs.imageid }}" + echo "Digest: ${{ steps.push.outputs.digest }}" + echo "metadata: ${{ steps.push.outputs.metadata }}" + false # Stop execution + + - name: Add image attestation + # https://github.com/actions/attest-build-provenance + uses: actions/attest-build-provenance@v1.1.1 + with: + subject-name: ${{ env.CONTAINER_IMAGE }} + subject-digest: ${{ steps.push.outputs.digest }} + # Match the push condition above + push-to-registry: ${{ github.event_name != 'pull_request' }} + # This is a dummy job that can be used to determine success of CI: # - by Mergify instead of having to list a bunch of other jobs # - for branch protection rules