From c2e5f692d7f90f093d5481571fca882d69cf83cb Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Thu, 25 Jun 2026 09:12:50 +0100 Subject: [PATCH] feat(ci): attest build provenance Adds actions/attest-build-provenance@v2 (SHA-pinned) after the container build-push step, with id-token+attestations job permissions and the image digest captured via the build-push step id. Additive only. Co-Authored-By: Claude Opus 4.8 --- .github/workflows/publish-container.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/workflows/publish-container.yml b/.github/workflows/publish-container.yml index 0997339..7c5d4c4 100644 --- a/.github/workflows/publish-container.yml +++ b/.github/workflows/publish-container.yml @@ -10,6 +10,11 @@ permissions: jobs: publish: runs-on: ubuntu-latest + permissions: + contents: read + packages: write + id-token: write # mint the OIDC token the attestation is signed with + attestations: write # write the build-provenance attestation (the "claim") steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 - name: Log in to GitHub Container Registry @@ -29,6 +34,7 @@ jobs: type=semver,pattern={{major}} type=sha - name: Build and push + id: push uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v6 with: context: . @@ -36,3 +42,9 @@ jobs: push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + - name: Attest container provenance + uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2 + with: + subject-name: ghcr.io/${{ github.repository }} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true