From 128fde8af9e1cad9a76fb5178b2c9c7bcba1e59b Mon Sep 17 00:00:00 2001 From: Robert Eggl Date: Thu, 12 Dec 2024 12:20:25 +0100 Subject: [PATCH] chore(workflows): setup build attestation --- .github/workflows/docker-image.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 847edb0b..cf94b175 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -16,7 +16,9 @@ jobs: runs-on: ubuntu-latest # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job. permissions: + id-token: write contents: read + attestations: write packages: write # steps: @@ -39,7 +41,8 @@ jobs: # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository. # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step. - name: Build and push Docker image - uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 + id: push + uses: docker/build-push-action@v5.0.0 with: context: . push: true @@ -51,3 +54,10 @@ jobs: NEXT_PUBLIC_THI_API_KEY=${{ secrets.NEXT_PUBLIC_THI_API_KEY }} NEXT_PUBLIC_THI_API_MODE=${{ vars.NEXT_PUBLIC_THI_API_MODE }} NEXT_PUBLIC_NEULAND_GRAPHQL_ENDPOINT=${{ github.ref == 'refs/heads/develop' && vars.GRAPHQL_ENDPOINT_DEV || vars.GRAPHQL_ENDPOINT_PROD }} + - name: Attest + uses: actions/attest-build-provenance@v2 + id: attest + with: + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true