Merge pull request #830 from cjmayo/attest

Use actions/attest for Docker images and Python distributions
2026-03-16 22:10:26 +00:00 · 2024-08-27 19:33:39 +01:00 · 2024-08-27 19:33:39 +01:00 · e23ca84177
commit e23ca84177
parent b77e39f26b 34bacae063
2 changed files with 16 additions and 0 deletions
--- a/.github/workflows/publish-docker.yml
+++ b/.github/workflows/publish-docker.yml
@ -16,7 +16,9 @@ jobs:
  build-and-push-image:
    runs-on: ubuntu-latest
    permissions:
+      attestations: write
      contents: read
+      id-token: write
      packages: write

    steps:
@ -38,12 +40,20 @@ jobs:
            type=ref,event=branch

      - name: Build and push Docker image
+        id: push
        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0  # v5.3.0
        with:
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}

+      - name: Attest
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
+
      - name: Delete oldest Docker images
        uses: actions/delete-package-versions@v5
        with:
--- a/.github/workflows/release-files.yml
+++ b/.github/workflows/release-files.yml
@ -8,6 +8,7 @@ jobs:
  run:
    runs-on: ubuntu-latest
    permissions:
+      attestations: write
      contents: write
      id-token: write

@ -39,6 +40,11 @@ jobs:
        run: >
            python3 -m hatchling build

+      - name: Attest
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: 'dist/*.{tar.gz,whl}'
+
      - name: Check distribution files
        run: >
            twine check dist/*.{tar.gz,whl}