update README

crazy-max · crazy-max · commit ceaf9fe03e54 · 2025-11-05T11:18:54.000+01:00
Signed-off-by: CrazyMax &lt;1951866+crazy-max@users.noreply.github.com&gt;
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -120,6 +120,7 @@ jobs:
     permissions:
       contents: read
       id-token: write # needed for signing the images with GitHub OIDC Token
+      packages: write # needed to push images to GitHub Container Registry
     steps:
       -
         name: Docker meta
diff --git a/README.md b/README.md
@@ -5,11 +5,52 @@
 
 This repository provides official Docker-maintained [reusable GitHub Actions workflows](https://docs.github.com/en/actions/how-tos/reuse-automations/reuse-workflows)
 to securely build container images using Docker best practices. The workflows
-sign BuildKit-generated SLSA-compliant provenance attestations and help
-establish Docker as a trusted authority in secure software supply chains.
+sign BuildKit-generated SLSA-compliant provenance attestations and align with
+the principles behind [Docker Hardened Images](https://docs.docker.com/dhi/how-to/use/),
+enabling open source projects to follow a seamless path toward higher levels of
+security and trust.
 
 ## :test_tube: Experimental
 
 This repository is considered **EXPERIMENTAL** and under active development
 until further notice. It is subject to non-backward compatible changes or
 removal in any future version.
+
+## Build reusable workflow
+
+```yaml
+name: ci
+
+permissions:
+  contents: read
+
+on:
+  push:
+    branches:
+      - 'main'
+    tags:
+      - 'v*'
+  pull_request:
+
+  build:
+    uses: docker/github-builder-experimental/.github/workflows/build.yml@main
+    permissions:
+      contents: read
+      id-token: write # for signing attestation manifests with GitHub OIDC Token
+      packages: write # needed to push images to GitHub Container Registry
+    with:
+      meta-images: name/app
+      meta-tags: |
+        type=ref,event=branch
+        type=ref,event=pr
+        type=semver,pattern={{version}}
+      build-output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
+      build-platforms: linux/amd64,linux/arm64
+    secrets:
+      registry-auths: |
+        - registry: docker.io
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+```
+
+You can find the list of available inputs in [`.github/workflows/build.yml`](.github/workflows/build.yml).

Original file line number	Diff line number	Diff line change
`@@ -120,6 +120,7 @@ jobs:`
`120`	`120`	`permissions:`
`121`	`121`	`contents: read`
`122`	`122`	`id-token: write # needed for signing the images with GitHub OIDC Token`
	`123`	`+ packages: write # needed to push images to GitHub Container Registry`
`123`	`124`	`steps:`
`124`	`125`	`-`
`125`	`126`	`name: Docker meta`