git-mirrors/continuwuity
1
0
Fork 0
mirror of https://forgejo.ellis.link/continuwuation/continuwuity.git synced 2025-07-06 12:16:12 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

enable image artifact attestations

Browse source
This commit is contained in:
Jade Ellis 2025-01-09 17:11:06 +00:00
parent 671ab8fbc1
commit 97b7623729
No known key found for this signature in database
GPG key ID: 8705A2A3EBF77BD2
1 changed files with 27 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
.github/workflows/publish-image.yml vendored
View file

@ -29,6 +29,9 @@ jobs:
images_list: ${{ steps.var.outputs.images_list }}
build_matrix: ${{ steps.var.outputs.build_matrix }}
merge_matrix: ${{ steps.var.outputs.merge_matrix }}
ghcr_image: ${{ steps.var.outputs.ghcr_image }}
docker_image: ${{ steps.var.outputs.docker_image }}
glhr_image: ${{ steps.var.outputs.glhr_image }}
steps:
- name: Setting variables
@ -183,6 +186,30 @@ jobs:
sbom: true
outputs: type=image,"name=${{ needs.define-variables.outputs.images_list }}",push-by-digest=true,name-canonical=true,push=true
# This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see "[Using artifact attestations to establish provenance for builds](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds)."
- name: Generate artifact attestation (${{ needs.define-variables.outputs.ghcr_image}})
uses: actions/attest-build-provenance@v2
if: env.GHCR_ENABLED == 'true'
with:
subject-name: ${{ needs.define-variables.outputs.ghcr_image}}
subject-digest: ${{ steps.build.outputs.digest }}
push-to-registry: true
- name: Generate artifact attestation (index.${{ needs.define-variables.outputs.docker_image}})
uses: actions/attest-build-provenance@v2
if: (vars.DOCKER_USERNAME != '') && (env.DOCKERHUB_TOKEN != '')
with:
# see action readme (we need to use index.docker.io rather than docker.io)
subject-name: index.${{ needs.define-variables.outputs.docker_image}}
subject-digest: ${{ steps.build.outputs.digest }}
push-to-registry: true
- name: Generate artifact attestation (${{ needs.define-variables.outputs.glhr_image}})
uses: actions/attest-build-provenance@v2
if: (vars.GITLAB_USERNAME != '') && (env.GITLAB_TOKEN != '')
with:
subject-name: ${{ needs.define-variables.outputs.glhr_image}}
subject-digest: ${{ steps.build.outputs.digest }}
push-to-registry: true
# For publishing multi-platform manifests
- name: Export digest
run: |