Add Github Attestations support

dfunkt · May 4, 2024 · f4a6928 · f4a6928
1 parent 15e35f4
commit f4a6928
Showing 1 changed file with 24 additions and 0 deletions.
diff --git a/.github/workflows/build-and-push.yaml b/.github/workflows/build-and-push.yaml
@@ -18,6 +18,8 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
+      attestations: write
 
     steps:
       - name: Checkout repository
@@ -49,6 +51,7 @@ jobs:
 
       - name: Bake ${{ matrix.base_image }} containers
         uses: docker/bake-action@v4
+        id: build
         env:
           BASE_TAGS: "${{ env.BASE_TAGS }}"
           CONTAINER_REGISTRIES: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -57,9 +60,30 @@ jobs:
           VW_VERSION: ${{ github.sha }}
         with:
           push: true
+          sbom: true
           files: docker/docker-bake.hcl
           targets: ${{ matrix.base_image }}-multi
           set: |
             *.platform=linux/amd64,linux/arm64
             *.cache-from=type=gha
             *.cache-to=type=gha,mode=max
+
+      - name: Extract digest SHA
+        run: |
+          GET_DIGEST_SHA="$(echo '${{ steps.build.outputs.metadata }}' | jq -r '.["${{ matrix.base_image }}-multi"]."containerimage.digest"')"
+          echo "DIGEST_SHA=${GET_DIGEST_SHA}" | tee -a "${GITHUB_ENV}"
+
+      - name: Generate build provenance attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ env.DIGEST_SHA }}
+          push-to-registry: true
+
+      - name: Generate SBOM attestation
+        uses: actions/attest-sbom@v1
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ env.DIGEST_SHA }}
+          sbom-path: 'sbom.spdx.json'
+          push-to-registry: true