From 8d1380c1c3b54e4d89ffe2ee649a4a89aacbf2a8 Mon Sep 17 00:00:00 2001 From: Victor Martinez Date: Fri, 26 Apr 2024 15:34:59 +0200 Subject: [PATCH] add github attestation for ghcr.io --- .github/workflows/release.yml | 56 +++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..5f85ffb --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,56 @@ +name: release + +on: + push: + branches: [main] + +permissions: + contents: read + +jobs: + ghcr-io: + runs-on: ubuntu-latest + permissions: + attestations: write + id-token: write + packages: write + contents: read + env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) + id: docker-meta + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=raw,value=latest,enable=true + type=ref,enable=true,prefix=,suffix=,event=tag + + - name: Build and push image + id: docker-push + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 + with: + context: . + push: true + tags: ${{ steps.docker-meta.outputs.tags }} + labels: ${{ steps.docker-meta.outputs.labels }} + + - name: Attest image + uses: github-early-access/generate-build-provenance@main + with: + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + subject-digest: ${{ steps.docker-push.outputs.digest }} + push-to-registry: true