From e86a70aff830c218ac27cd6bcd6e12d26fc1dc6f Mon Sep 17 00:00:00 2001
From: dfunkt <daniel.barabasa@gmail.com>
Date: Sat, 4 May 2024 15:33:44 +0300
Subject: [PATCH] Add Github Attestations support

---
 .github/workflows/build-and-push.yaml | 33 +++++++++++++++++++++++++--
 1 file changed, 31 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build-and-push.yaml b/.github/workflows/build-and-push.yaml
index c684b3f64cc..4ac517327d2 100644
--- a/.github/workflows/build-and-push.yaml
+++ b/.github/workflows/build-and-push.yaml
@@ -18,6 +18,8 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
+      attestations: write
 
     steps:
       - name: Checkout repository
@@ -49,6 +51,7 @@ jobs:
 
       - name: Bake ${{ matrix.base_image }} containers
         uses: docker/bake-action@v4
+        id: build
         env:
           BASE_TAGS: "${{ env.BASE_TAGS }}"
           CONTAINER_REGISTRIES: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -61,5 +64,31 @@ jobs:
           targets: ${{ matrix.base_image }}-multi
           set: |
             *.platform=linux/amd64,linux/arm64
-            *.cache-from=type=gha
-            *.cache-to=type=gha,mode=max
+            *.cache-from=type=gha,scope=${{ matrix.base_image }}
+            *.cache-to=type=gha,scope=${{ matrix.base_image }},mode=max
+
+      - name: Extract digest SHA
+        run: |
+          echo DIGEST_SHA="${{ fromJSON(steps.build.outputs.metadata)."${{ matrix.base_image }}-multi"['containerimage.digest'] }}" | tee -a "${GITHUB_ENV}"
+
+      - name: Generate build provenance attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ env.DIGEST_SHA }}
+          push-to-registry: true
+
+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          format: 'spdx-json'
+          output-file: 'sbom.spdx.json'
+          upload-artifact: false
+
+      - name: Generate SBOM attestation
+        uses: actions/attest-sbom@v1
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ env.DIGEST_SHA }}
+          sbom-path: 'sbom.spdx.json'
+          push-to-registry: true