From 1ace9eca9debbaea7ed570012ed5f88f4ecb2a3d Mon Sep 17 00:00:00 2001
From: Toni Tauro <toni.tauro@adfinis.com>
Date: Thu, 31 Oct 2024 11:53:22 +0100
Subject: [PATCH] feat(release): attest (#15)

* feat(release): attest

Signed-off-by: Toni Tauro <toni.tauro@adfinis.com>

* fix(autotag/release): use permissions

Signed-off-by: Toni Tauro <toni.tauro@adfinis.com>

* fix(autotag): contents - write

Signed-off-by: Toni Tauro <toni.tauro@adfinis.com>

* fix(release): only if tag

Signed-off-by: Toni Tauro <toni.tauro@adfinis.com>

---------

Signed-off-by: Toni Tauro <toni.tauro@adfinis.com>
---
 .github/workflows/autotag.yaml |  4 +++-
 .github/workflows/release.yaml | 16 +++++++++++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/autotag.yaml b/.github/workflows/autotag.yaml
index b8d5235..867b8de 100644
--- a/.github/workflows/autotag.yaml
+++ b/.github/workflows/autotag.yaml
@@ -6,6 +6,8 @@ on:
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -16,5 +18,5 @@ jobs:
         id: semrel
         uses: go-semantic-release/action@v1.21
         with:
-          github-token: ${{ secrets.PAT }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
           allow-initial-development-versions: true
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index e80da47..c1039de 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -12,6 +12,11 @@ on:
 jobs:
   build-container:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+      attestations: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -37,7 +42,7 @@ jobs:
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
-          password: ${{ secrets.PAT }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build
         uses: redhat-actions/buildah-build@v2
@@ -64,3 +69,12 @@ jobs:
           image: ${{ steps.build.outputs.image }}
           tags: ${{ steps.build.outputs.tags }}
           registry: ghcr.io/eyenx
+
+      - name: Attest
+        uses: actions/attest-build-provenance@v1
+        if: startsWith(github.ref, 'refs/tags/v')
+        id: attest
+        with:
+          subject-name: ghcr.io/eyenx/blog
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true