From f4a6928ae6df18190fbdf9de0bf5be0fb2864851 Mon Sep 17 00:00:00 2001 From: dfunkt Date: Sat, 4 May 2024 15:33:44 +0300 Subject: [PATCH] Add Github Attestations support --- .github/workflows/build-and-push.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/.github/workflows/build-and-push.yaml b/.github/workflows/build-and-push.yaml index c684b3f64cc..ea4889675c2 100644 --- a/.github/workflows/build-and-push.yaml +++ b/.github/workflows/build-and-push.yaml @@ -18,6 +18,8 @@ jobs: permissions: contents: read packages: write + id-token: write + attestations: write steps: - name: Checkout repository @@ -49,6 +51,7 @@ jobs: - name: Bake ${{ matrix.base_image }} containers uses: docker/bake-action@v4 + id: build env: BASE_TAGS: "${{ env.BASE_TAGS }}" CONTAINER_REGISTRIES: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} @@ -57,9 +60,30 @@ jobs: VW_VERSION: ${{ github.sha }} with: push: true + sbom: true files: docker/docker-bake.hcl targets: ${{ matrix.base_image }}-multi set: | *.platform=linux/amd64,linux/arm64 *.cache-from=type=gha *.cache-to=type=gha,mode=max + + - name: Extract digest SHA + run: | + GET_DIGEST_SHA="$(echo '${{ steps.build.outputs.metadata }}' | jq -r '.["${{ matrix.base_image }}-multi"]."containerimage.digest"')" + echo "DIGEST_SHA=${GET_DIGEST_SHA}" | tee -a "${GITHUB_ENV}" + + - name: Generate build provenance attestation + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + subject-digest: ${{ env.DIGEST_SHA }} + push-to-registry: true + + - name: Generate SBOM attestation + uses: actions/attest-sbom@v1 + with: + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + subject-digest: ${{ env.DIGEST_SHA }} + sbom-path: 'sbom.spdx.json' + push-to-registry: true