From ef45d9238a480e4e496cc82c28a6e2a151ff5fbe Mon Sep 17 00:00:00 2001 From: danjov Date: Fri, 8 Nov 2024 15:52:46 +0100 Subject: [PATCH] Fix permissions and generate attestation --- .github/workflows/pre-release.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/.github/workflows/pre-release.yml b/.github/workflows/pre-release.yml index f804f56..ef5adb0 100644 --- a/.github/workflows/pre-release.yml +++ b/.github/workflows/pre-release.yml @@ -14,6 +14,11 @@ jobs: create-pre-release: runs-on: ubuntu-latest name: Build and push Docker image and create a new GitHub pre-release + permissions: + id-token: write + contents: read + attestations: write + packages: write steps: - name: Checkout repository @@ -26,6 +31,9 @@ jobs: echo COMMITED_AT=$(git show -s --format=%cI `git rev-parse HEAD`) >> $GITHUB_ENV echo REVISION=$(git rev-parse --short HEAD) >> $GITHUB_ENV + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Collect Docker image metadata id: meta uses: docker/metadata-action@v5 @@ -49,6 +57,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push Docker image + id: push uses: docker/build-push-action@v5 with: context: . @@ -61,6 +70,21 @@ jobs: sbom: true provenance: mode=max + - name: Generate docker image attestation + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true + + - name: Generate SBOM attestation + uses: actions/attest-sbom@v1 + with: + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + subject-digest: ${{ steps.push.outputs.digest }} + sbom-path: 'sbom.json' + push-to-registry: true + - name: Create GitHub pre-release run: | gh api \