Add ghcr attestation (#100)

- New Features - Enhanced Docker image publishing process with improved security and traceability. - Introduced new steps for attesting build provenance for both Docker Hub and GitHub Container Registry. - Permissions - Updated permissions for the Docker job to include `id-token: write` and `attestations: write`.
svengo · Dec 16, 2024 · 66362be · 66362be
1 parent ff347a4
commit 66362be
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/.github/workflows/publish-docker.yml b/.github/workflows/publish-docker.yml
@@ -13,6 +13,9 @@ jobs:
     permissions:
       contents: read
       packages: write
+      # permissions needed for attestations
+      id-token: write
+      attestations: write
     runs-on: ubuntu-latest
     steps:
     -
@@ -62,6 +65,7 @@ jobs:
     -
       name: Build and push Docker image
       uses: docker/build-push-action@v6
+      id: push
       with:
         context: .
         file: ./Dockerfile
@@ -71,6 +75,20 @@ jobs:
         cache-from: type=gha
         cache-to: type=gha,mode=max
         platforms: linux/amd64
+    -
+      name: Attest DockerHub
+      uses: actions/attest-build-provenance@v2
+      with:
+        subject-name: ${{ vars.DOCKERHUB_USERNAME }}/${{ vars.IMAGE_NAME }}
+        subject-digest: ${{ steps.push.outputs.digest }}
+        push-to-registry: true
+    -
+      name: Attest ghcr
+      uses: actions/attest-build-provenance@v2
+      with:
+        subject-name: ghcr.io/${{ github.repository_owner }}/${{ vars.IMAGE_NAME }}
+        subject-digest: ${{ steps.push.outputs.digest }}
+        push-to-registry: true
     -
       name: Generate job summary
       id: job-summary