Add Github Attestations support

dfunkt · May 5, 2024 · e86a70a · e86a70a
1 parent 15e35f4
commit e86a70a
Showing 1 changed file with 31 additions and 2 deletions.
diff --git a/.github/workflows/build-and-push.yaml b/.github/workflows/build-and-push.yaml
@@ -18,6 +18,8 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
+      attestations: write
 
     steps:
       - name: Checkout repository
@@ -49,6 +51,7 @@ jobs:
 
       - name: Bake ${{ matrix.base_image }} containers
         uses: docker/bake-action@v4
+        id: build
         env:
           BASE_TAGS: "${{ env.BASE_TAGS }}"
           CONTAINER_REGISTRIES: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -61,5 +64,31 @@ jobs:
           targets: ${{ matrix.base_image }}-multi
           set: |
             *.platform=linux/amd64,linux/arm64
-            *.cache-from=type=gha
-            *.cache-to=type=gha,mode=max
+            *.cache-from=type=gha,scope=${{ matrix.base_image }}
+            *.cache-to=type=gha,scope=${{ matrix.base_image }},mode=max
+
+      - name: Extract digest SHA
+        run: |
+          echo DIGEST_SHA="${{ fromJSON(steps.build.outputs.metadata)."${{ matrix.base_image }}-multi"['containerimage.digest'] }}" | tee -a "${GITHUB_ENV}"
+
+      - name: Generate build provenance attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ env.DIGEST_SHA }}
+          push-to-registry: true
+
+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          format: 'spdx-json'
+          output-file: 'sbom.spdx.json'
+          upload-artifact: false
+
+      - name: Generate SBOM attestation
+        uses: actions/attest-sbom@v1
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ env.DIGEST_SHA }}
+          sbom-path: 'sbom.spdx.json'
+          push-to-registry: true