From 71aa19faa586c61c33667c7b0074cf3f8a1bb164 Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Thu, 25 Jun 2026 09:12:52 +0100
Subject: [PATCH] feat(ci): attest build provenance

Estate artifact-attestation rollout mirroring the proven exemplar.
Attests: container image pushed by container-build job.
---
 .github/workflows/ci-cd.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml
index dfe9477..563c56d 100644
--- a/.github/workflows/ci-cd.yml
+++ b/.github/workflows/ci-cd.yml
@@ -204,6 +204,8 @@ jobs:
       contents: read
       packages: write
       security-events: write
+      id-token: write
+      attestations: write
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -275,6 +277,7 @@ jobs:
           severity-cutoff: high
 
       - name: Push container image
+        id: push
         if: github.event_name != 'pull_request'
         uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
         with:
@@ -284,6 +287,14 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 
+      - name: Attest container provenance
+        if: github.event_name != 'pull_request'
+        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
+
   # SonarCloud analysis
   sonarcloud:
     name: SonarCloud Analysis