From 1caa28295be1e4499c76402230dea27eaf1793fd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment?= <clement2104.boillot@gmail.com>
Date: Thu, 17 Oct 2024 22:36:15 +0200
Subject: [PATCH] ops: improve ci by attesting build

---
 .github/workflows/docker.yml | 29 +++++++++++++++++++++--------
 1 file changed, 21 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index fbbb77a..dbeb032 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -4,6 +4,9 @@ on:
   push:
     branches:
       - main
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ghcr.io/${{ github.repository }}
 
 jobs:
   docker:
@@ -14,18 +17,28 @@ jobs:
       uses: actions/checkout@v4
 
     - name: Setup Nix
-      uses: cachix/install-nix-action@v27
+      uses: cachix/install-nix-action@v30
 
     - name: Build Docker image
       run: nix build .#docker
 
-    - name: Log in to GitHub Container Registry
-      run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+    - name: Login to GitHub Container Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ${{ env.REGISTRY }}
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
 
-    - name: Load Docker image
+    - name: Push Docker image to GitHub Container Registry
       run: |
         docker load < result
-        docker tag drawbu.dev ghcr.io/${{ github.repository }}:latest
-
-    - name: Push Docker image to GitHub Container Registry
-      run: docker push ghcr.io/${{ github.repository }}:latest
+        docker tag drawbu.dev ${{ env.IMAGE_NAME }}
+        docker push ${{ env.IMAGE_NAME }}
+
+    - name: Attest
+      uses: actions/attest-build-provenance@v1
+      id: attest
+      with:
+        subject-name: ${{ env.IMAGE_NAME }}
+        subject-digest: ${{ steps.push.outputs.digest }}
+        push-to-registry: true