diff --git a/.github/workflows/image.yml b/.github/workflows/image.yml index 50421eb213..81856015b8 100644 --- a/.github/workflows/image.yml +++ b/.github/workflows/image.yml @@ -21,6 +21,8 @@ jobs: permissions: contents: read id-token: write + attestations: write + packages: write strategy: fail-fast: false matrix: @@ -96,6 +98,13 @@ jobs: run: | cosign sign -y quay.io/sustainable_computing_io/${{matrix.IMAGE_NAME}}:${{matrix.LABEL}}@${{ steps.build-push-image.outputs.digest }} + - name: Generate image attestation + uses: actions/attest-build-provenance@v1 + with: + subject-name: quay.io/sustainable_computing_io/${{matrix.IMAGE_NAME}} + subject-digest: ${{ steps.build-push-image.outputs.digest }} + push-to-registry: true + - name: Generate SBOM uses: anchore/sbom-action@v0.17.2 with: @@ -110,3 +119,11 @@ jobs: name: sbom-${{matrix.IMAGE_NAME}}-${{matrix.LABEL}}.spdx.json path: ./sbom-${{matrix.IMAGE_NAME}}-${{matrix.LABEL}}.spdx.json retention-days: 1 + + - name: Generate SBOM attestation + uses: actions/attest-sbom@v1 + with: + subject-name: quay.io/sustainable_computing_io/${{matrix.IMAGE_NAME}} + subject-digest: ${{ steps.build-push-image.outputs.digest }} + sbom-path: ./sbom-${{matrix.IMAGE_NAME}}-${{matrix.LABEL}}.spdx.json + push-to-registry: true diff --git a/.github/workflows/image_base.yml b/.github/workflows/image_base.yml index 6d465594f6..0d9814adcb 100644 --- a/.github/workflows/image_base.yml +++ b/.github/workflows/image_base.yml @@ -18,6 +18,8 @@ jobs: permissions: contents: read id-token: write + attestations: write + packages: write steps: - name: Checkout uses: actions/checkout@v4 @@ -48,3 +50,10 @@ jobs: - name: Sign images with GitHub OIDC token run: | cosign sign -y quay.io/sustainable_computing_io/kepler_builder:ubi-9-libbpf-1.3.0@${{ steps.build-push-image.outputs.digest }} + + - name: Generate image attestation + uses: actions/attest-build-provenance@v1 + with: + subject-name: quay.io/sustainable_computing_io/kepler_builder + subject-digest: ${{ steps.build-push-image.outputs.digest }} + push-to-registry: ${{ inputs.pushImage }}