From 41941cddc1ffc845a76161ab09f3d453d22ffcd3 Mon Sep 17 00:00:00 2001 From: Jade Ellis Date: Thu, 9 Jan 2025 17:11:06 +0000 Subject: [PATCH] enable image artifact attestations --- .github/workflows/publish-image.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/.github/workflows/publish-image.yml b/.github/workflows/publish-image.yml index 2f51a6a7..e7e281c3 100644 --- a/.github/workflows/publish-image.yml +++ b/.github/workflows/publish-image.yml @@ -29,6 +29,9 @@ jobs: images_list: ${{ steps.var.outputs.images_list }} build_matrix: ${{ steps.var.outputs.build_matrix }} merge_matrix: ${{ steps.var.outputs.merge_matrix }} + ghcr_image: ${{ steps.var.outputs.ghcr_image }} + docker_image: ${{ steps.var.outputs.docker_image }} + glhr_image: ${{ steps.var.outputs.glhr_image }} steps: - name: Setting variables @@ -183,6 +186,30 @@ jobs: sbom: true outputs: type=image,"name=${{ needs.define-variables.outputs.images_list }}",push-by-digest=true,name-canonical=true,push=true + # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see "[Using artifact attestations to establish provenance for builds](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds)." + - name: Generate artifact attestation (${{ needs.define-variables.outputs.ghcr_image}}) + uses: actions/attest-build-provenance@v2 + if: env.GHCR_ENABLED == 'true' + with: + subject-name: ${{ needs.define-variables.outputs.ghcr_image}} + subject-digest: ${{ steps.build.outputs.digest }} + push-to-registry: true + - name: Generate artifact attestation (index.${{ needs.define-variables.outputs.docker_image}}) + uses: actions/attest-build-provenance@v2 + if: (vars.DOCKER_USERNAME != '') && (env.DOCKERHUB_TOKEN != '') + with: + # see action readme (we need to use index.docker.io rather than docker.io) + subject-name: index.${{ needs.define-variables.outputs.docker_image}} + subject-digest: ${{ steps.build.outputs.digest }} + push-to-registry: true + - name: Generate artifact attestation (${{ needs.define-variables.outputs.glhr_image}}) + uses: actions/attest-build-provenance@v2 + if: (vars.GITLAB_USERNAME != '') && (env.GITLAB_TOKEN != '') + with: + subject-name: ${{ needs.define-variables.outputs.glhr_image}} + subject-digest: ${{ steps.build.outputs.digest }} + push-to-registry: true + # For publishing multi-platform manifests - name: Export digest run: |