2525 needs : release-please
2626 if : needs.release-please.outputs.release_created == 'true'
2727 runs-on : ubuntu-latest
28+ permissions :
29+ contents : read
30+ packages : write
31+ id-token : write
32+ attestations : write
33+ env :
34+ REGISTRY : ghcr.io
35+ IMAGE_NAME : ${{ github.repository }}
2836 steps :
2937 - uses : actions/checkout@v4
3038
@@ -38,23 +46,43 @@ jobs:
3846
3947 - uses : docker/login-action@v3
4048 with :
41- registry : ghcr.io
49+ registry : ${{ env.REGISTRY }}
4250 username : ${{ github.actor }}
4351 password : ${{ secrets.GITHUB_TOKEN }}
4452
4553 - uses : docker/metadata-action@v5
4654 id : meta
4755 with :
48- images : ghcr.io /${{ github.repository }}
56+ images : ${{ env.REGISTRY }} /${{ env.IMAGE_NAME }}
4957 tags : |
5058 type=semver,pattern={{version}},value=${{ needs.release-please.outputs.tag_name }}
5159 type=semver,pattern={{major}}.{{minor}},value=${{ needs.release-please.outputs.tag_name }}
5260 type=raw,value=latest
5361
54- - uses : docker/build-push-action@v6
62+ - id : build
63+ uses : docker/build-push-action@v6
5564 with :
5665 context : .
5766 push : true
5867 platforms : linux/amd64,linux/arm64
5968 tags : ${{ steps.meta.outputs.tags }}
6069 labels : ${{ steps.meta.outputs.labels }}
70+ provenance : mode=max
71+ sbom : true
72+
73+ - name : Install cosign
74+ uses : sigstore/cosign-installer@v3
75+
76+ - name : Cosign keyless sign
77+ env :
78+ COSIGN_EXPERIMENTAL : " 1"
79+ DIGEST : ${{ steps.build.outputs.digest }}
80+ run : |
81+ cosign sign --yes "${REGISTRY}/${IMAGE_NAME}@${DIGEST}"
82+
83+ - name : Attest build provenance
84+ uses : actions/attest-build-provenance@v2
85+ with :
86+ subject-name : ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
87+ subject-digest : ${{ steps.build.outputs.digest }}
88+ push-to-registry : true
0 commit comments