From 501c4fd79e91493eb96481c0d54aae32b0fe8062 Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Thu, 25 Jun 2026 09:13:10 +0100
Subject: [PATCH] feat(ci): attest build provenance

Adds actions/attest-build-provenance@v2 (SHA-pinned) after the container
build-push step, with id-token+attestations job permissions and the image
digest captured via the build-push step id. Additive only.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .github/workflows/container.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
index 1bd5750..e40dcf0 100644
--- a/.github/workflows/container.yml
+++ b/.github/workflows/container.yml
@@ -16,6 +16,8 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write       # mint the OIDC token the attestation is signed with
+      attestations: write   # write the build-provenance attestation (the "claim")
     steps:
       - name: Checkout
         uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4
@@ -40,6 +42,7 @@ jobs:
             type=sha
             type=raw,value=latest,enable={{is_default_branch}}
       - name: Build and push (multi-arch)
+        id: push
         uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v5
         with:
           context: .
@@ -52,3 +55,9 @@ jobs:
           cache-to: type=gha,mode=max
           provenance: true
           sbom: true
+      - name: Attest container provenance
+        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true