Merge pull request #1227 from c0rydoras/chore/add-container-scanning

chore(ci): use container-scanning-action

Author: derrabauke

.github/workflows/release.yaml

@@ -79,9 +79,18 @@ jobs:
 
       - name: build and push ${{ steps.parse-tagname.outputs.service }} image
         uses: docker/build-push-action@v6
+        id: docker
         with:
           context: ./${{ steps.parse-tagname.outputs.service }}/
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: |
             ${{ steps.meta.outputs.labels }}
+
+      - name: sign ${{ steps.parse-tagname.outputs.service }} image and attach SBOM attestation
+        uses: adfinis/container-scanning-action@v0.2.12
+        with:
+          image-ref: ghcr.io/${{ steps.repo.outputs.lower }}/${{ steps.parse-tagname.outputs.service }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+          digest: ${{ steps.docker.outputs.digest }}
+          attest: true

.github/workflows/schedule.yaml

@@ -0,0 +1,38 @@
+---
+name: Schedule
+
+on:
+  schedule:
+    - cron: 4 4 * * *
+  workflow_dispatch:
+
+jobs:
+  scan:
+    strategy:
+      matrix:
+        service: [api, caluma, ember]
+
+    name: scan ${{ matrix.image }} image
+    runs-on: ubuntu-latest
+    permissions:
+      actions: none
+      checks: none
+      contents: none
+      deployments: none
+      issues: none
+      packages: write
+      pull-requests: none
+      repository-projects: none
+      security-events: write
+      statuses: none
+      # needed for `cosign attest`
+      id-token: write
+    steps:
+      - id: repo
+        run: |
+          echo "lower=$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT"
+      - uses: adfinis/container-scanning-action@v0.2.12
+        with:
+          image-ref: ghcr.io/${{ steps.repo.outputs.lower }}/${{ matrix.service }}
+          attest: true
+          token: ${{ secrets.GITHUB_TOKEN }}