Merge pull request #66 from JohnStrunk/attest

Add attestation for container image
JohnStrunk · May 15, 2024 · 599234a · 599234a
2 parents 3fe13a4 + 12d7cdc
commit 599234a
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml
@@ -101,8 +101,10 @@ jobs:
     needs: [pre-commit, tests]
     runs-on: ubuntu-latest
     permissions:
+      attestations: write  # For build attestation
       contents: read
-      packages: write  # Required to push to GitHub Container Registry
+      id-token: write      # For build attestation
+      packages: write      # Required to push to GitHub Container Registry
 
     steps:
       - name: Checkout repository
@@ -147,6 +149,7 @@ jobs:
             type=raw,value=latest,enable={{is_default_branch}}
 
       - name: Build and push Docker image
+        id: push
         # https://github.com/docker/build-push-action
         uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
         with:
@@ -166,6 +169,16 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
+      - name: Add image attestation
+        # Match the push condition above
+        if: github.event_name != 'pull_request'
+        # https://github.com/actions/attest-build-provenance
+        uses: actions/[email protected]
+        with:
+          subject-name: ${{ env.CONTAINER_IMAGE }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
+
   # This is a dummy job that can be used to determine success of CI:
   # - by Mergify instead of having to list a bunch of other jobs
   # - for branch protection rules