diff --git a/.github/workflows/ghcr-publish.yml b/.github/workflows/ghcr-publish.yml index 6153f26..d55dc07 100644 --- a/.github/workflows/ghcr-publish.yml +++ b/.github/workflows/ghcr-publish.yml @@ -19,6 +19,8 @@ jobs: permissions: contents: read packages: write + id-token: write # mint the OIDC token the attestation is signed with + attestations: write # write the build-provenance attestation (the "claim") steps: - name: Checkout repository @@ -49,9 +51,28 @@ jobs: sudo nerdctl tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest - name: Push image + id: push run: | sudo nerdctl push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} sudo nerdctl push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest + # nerdctl push has no --digestfile, so read the real sha256 back from + # the registry with skopeo (pre-installed on ubuntu-latest). This is + # the digest the registry actually holds for the pushed tag. + DIGEST="$(skopeo inspect --format '{{.Digest}}' \ + --creds "${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}" \ + docker://${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }})" + echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" + + # GitHub native artifact attestation (build provenance) for the pushed + # image. Verify with: + # gh attest verify oci://ghcr.io/${{ github.repository }}: \ + # --repo ${{ github.repository }} + - name: Attest container provenance + uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2 + with: + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true - name: Tag release version if: github.event_name == 'release'