diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a93b7e9..84f217f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -6,6 +6,7 @@ on: types: [ published ] env: + REGISTRY: docker.io REPO: cashtrack/website jobs: @@ -14,6 +15,8 @@ jobs: permissions: contents: read packages: write + id-token: write + attestations: write steps: - name: Checkout repository @@ -41,8 +44,8 @@ jobs: type=sha type=semver,pattern={{version}} - # Setup BuildX - # https://github.com/docker/setup-buildx-action + # Setup BuildX + # https://github.com/docker/setup-buildx-action - name: Setup BuildX uses: docker/setup-buildx-action@v3 id: buildx @@ -53,8 +56,17 @@ jobs: # https://github.com/docker/build-push-action - name: Build and push uses: docker/build-push-action@v6 + id: push with: context: . push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + + - name: Attest + uses: actions/attest-build-provenance@v1 + id: attest + with: + subject-name: ${{ env.REGISTRY }}/${{ env.REPO }} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true