From ee16e5e3f2324a852e7478edd24169e321cfe8d0 Mon Sep 17 00:00:00 2001
From: Jan Kiszka <jan.kiszka@siemens.com>
Date: Fri, 8 Mar 2024 15:55:24 +0100
Subject: [PATCH] ci: Enable build provenance attestation

Will enrich the manifests with detailed information how the build was
done which shall further improve transparency.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .github/workflows/master.yml  | 1 +
 .github/workflows/next.yml    | 2 ++
 .github/workflows/release.yml | 1 +
 3 files changed, 4 insertions(+)

diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml
index 25ae1518..7d7e7a5f 100644
--- a/.github/workflows/master.yml
+++ b/.github/workflows/master.yml
@@ -41,5 +41,6 @@ jobs:
           build-args: |
             SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
             DEBIAN_TAG=${{ env.DEBIAN_TAG }}
+          provenance: mode=max
           outputs: type=registry,rewrite-timestamp=true
           tags: ghcr.io/siemens/kas/${{ matrix.image-name }}
diff --git a/.github/workflows/next.yml b/.github/workflows/next.yml
index b794cb6c..1bea2639 100644
--- a/.github/workflows/next.yml
+++ b/.github/workflows/next.yml
@@ -87,6 +87,7 @@ jobs:
           build-args: |
             SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
             DEBIAN_TAG=${{ env.DEBIAN_TAG }}
+          provenance: mode=max
           outputs: type=docker,rewrite-timestamp=true
           tags: ghcr.io/siemens/kas/${{ matrix.image-name }}:next
       - name: Test ${{ matrix.image-name }} image
@@ -102,5 +103,6 @@ jobs:
           build-args: |
             SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
             DEBIAN_TAG=${{ env.DEBIAN_TAG }}
+          provenance: mode=max
           outputs: type=registry,rewrite-timestamp=true
           tags: ghcr.io/siemens/kas/${{ matrix.image-name }}:next
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a622161a..ef717409 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -32,6 +32,7 @@ jobs:
           build-args: |
             SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
             DEBIAN_TAG=${{ env.DEBIAN_TAG }}
+          provenance: mode=max
           outputs: type=registry,rewrite-timestamp=true
           tags: |
             ghcr.io/siemens/kas/${{ matrix.image-name }}