From 40a9827fed992e3552124bece052577272912d0f Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Wed, 15 May 2024 06:07:44 +0000 Subject: [PATCH 1/2] ci: use GitHub attestations --- .github/workflows/build-push.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml index e05577cc..b75cf777 100644 --- a/.github/workflows/build-push.yml +++ b/.github/workflows/build-push.yml @@ -22,6 +22,7 @@ jobs: build-push: runs-on: ubuntu-latest permissions: + attestations: write contents: write packages: write pull-requests: write @@ -98,6 +99,10 @@ jobs: with: comment-summary-in-pr: on-failure fail-on-severity: critical + - uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }} + subject-digest: ${{ steps.build-and-push.outputs.digest }} - name: Sign the images with GitHub OIDC token if: github.event_name != 'merge_group' # This step uses the GitHub OIDC identity token to provision an ephemeral certificate From 96012778fd390f6e339f0ea1cfd3ab4438a390e7 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Wed, 15 May 2024 06:08:29 +0000 Subject: [PATCH 2/2] ci: pin action --- .github/workflows/build-push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml index b75cf777..8d75be15 100644 --- a/.github/workflows/build-push.yml +++ b/.github/workflows/build-push.yml @@ -99,7 +99,7 @@ jobs: with: comment-summary-in-pr: on-failure fail-on-severity: critical - - uses: actions/attest-build-provenance@v1 + - uses: actions/attest-build-provenance@951c0c5f8e375ad4efad33405ab77f7ded2358e4 # v1.1.1 with: subject-name: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }} subject-digest: ${{ steps.build-and-push.outputs.digest }}