Add attestation for container image

Signed-off-by: John Strunk <[email protected]>
JohnStrunk · May 15, 2024 · e36c679 · e36c679
1 parent 3fe13a4
commit e36c679
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml
@@ -101,7 +101,9 @@ jobs:
     needs: [pre-commit, tests]
     runs-on: ubuntu-latest
     permissions:
+      attestations: write  # For build attestation
       contents: read
+      id-token: write  # For build attestation
       packages: write  # Required to push to GitHub Container Registry
 
     steps:
@@ -149,6 +151,7 @@ jobs:
       - name: Build and push Docker image
         # https://github.com/docker/build-push-action
         uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
+        id: push
         with:
           annotations: ${{ steps.meta.outputs.annotations }}
           context: .
@@ -166,6 +169,14 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
+      - name: Add image attestation
+        uses: actions/[email protected]
+        with:
+          subject-name: ${{ env.CONTAINER_IMAGE }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          # Match the push condition above
+          push-to-registry: ${{ github.event_name != 'pull_request' }}
+
   # This is a dummy job that can be used to determine success of CI:
   # - by Mergify instead of having to list a bunch of other jobs
   # - for branch protection rules