Merge pull request #176 from prose-im/master

feat: attest image provenance
prose-im · Aug 28, 2024 · 369e3ad · 369e3ad
2 parents c9e339b + ccdde1d
commit 369e3ad
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -64,6 +64,8 @@ jobs:
 
     permissions:
       packages: write
+      attestations: write
+      id-token: write
 
     env:
       REGISTRY: ghcr.io
@@ -103,13 +105,21 @@ jobs:
         run: tar -xzvf ./build-${{ needs.build.outputs.revision }}.tar.gz
 
       - name: Build and push Docker image
+        id: push
         uses: docker/build-push-action@v6
         with:
           context: .
           tags: ${{ steps.metadata.outputs.tags }}
           labels: ${{ steps.metadata.outputs.labels }}
           push: true
 
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
+
   deploy:
     needs: build
     environment: prose.org