Add Github Attestations support

dfunkt · May 4, 2024 · c43f265 · c43f265
1 parent 15e35f4
commit c43f265
Showing 1 changed file with 29 additions and 0 deletions.
diff --git a/.github/workflows/build-and-push.yaml b/.github/workflows/build-and-push.yaml
@@ -18,6 +18,8 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
+      attestations: write
 
     steps:
       - name: Checkout repository
@@ -49,6 +51,7 @@ jobs:
 
       - name: Bake ${{ matrix.base_image }} containers
         uses: docker/bake-action@v4
+        id: build
         env:
           BASE_TAGS: "${{ env.BASE_TAGS }}"
           CONTAINER_REGISTRIES: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -63,3 +66,29 @@ jobs:
             *.platform=linux/amd64,linux/arm64
             *.cache-from=type=gha
             *.cache-to=type=gha,mode=max
+
+      - name: Extract digest SHA
+        run: |
+          echo DIGEST_SHA="${{ fromJSON(steps.build.outputs.metadata).image['containerimage.digest'] }}" | tee -a "${GITHUB_ENV}"
+
+      - name: Generate build provenance attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ env.DIGEST_SHA }}
+          push-to-registry: true
+
+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          format: 'spdx-json'
+          output-file: 'sbom.spdx.json'
+          upload-artifact: false
+
+      - name: Generate SBOM attestation
+        uses: actions/attest-sbom@v1
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ env.DIGEST_SHA }}
+          sbom-path: 'sbom.spdx.json'
+          push-to-registry: true