From 12d7cdcc1c0d4ae8631dfabe651d0e33f455d5b6 Mon Sep 17 00:00:00 2001
From: John Strunk <jstrunk@redhat.com>
Date: Wed, 15 May 2024 15:56:53 +0000
Subject: [PATCH] Add attestation for container image

Signed-off-by: John Strunk <jstrunk@redhat.com>
---
 .github/workflows/workflow.yaml | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml
index a0c2da7..2dcc2d2 100644
--- a/.github/workflows/workflow.yaml
+++ b/.github/workflows/workflow.yaml
@@ -101,8 +101,10 @@ jobs:
     needs: [pre-commit, tests]
     runs-on: ubuntu-latest
     permissions:
+      attestations: write  # For build attestation
       contents: read
-      packages: write  # Required to push to GitHub Container Registry
+      id-token: write      # For build attestation
+      packages: write      # Required to push to GitHub Container Registry
 
     steps:
       - name: Checkout repository
@@ -147,6 +149,7 @@ jobs:
             type=raw,value=latest,enable={{is_default_branch}}
 
       - name: Build and push Docker image
+        id: push
         # https://github.com/docker/build-push-action
         uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
         with:
@@ -166,6 +169,16 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
+      - name: Add image attestation
+        # Match the push condition above
+        if: github.event_name != 'pull_request'
+        # https://github.com/actions/attest-build-provenance
+        uses: actions/attest-build-provenance@v1.1.1
+        with:
+          subject-name: ${{ env.CONTAINER_IMAGE }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
+
   # This is a dummy job that can be used to determine success of CI:
   # - by Mergify instead of having to list a bunch of other jobs
   # - for branch protection rules