Skip to content

Bump actions/attest-build-provenance from 2.4.0 to 3.0.0 #4

Bump actions/attest-build-provenance from 2.4.0 to 3.0.0

Bump actions/attest-build-provenance from 2.4.0 to 3.0.0 #4

name: Multiplatform Build with QEMU
on:
push:
workflow_dispatch:
jobs:
docker:
permissions: # needed for signing and attestations
id-token: write # write seems weird, but it is correct per docs
attestations: write
contents: read
packages: write
runs-on: ubuntu-latest
steps:
-
name: Install Cosign
uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1
-
name: Set up QEMU
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
-
name: Login to GitHub Container Registry
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
-
name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804
with:
images: |
ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}-qemu
labels: |
org.opencontainers.image.description=Demo QEMU Build
-
name: Build and push
id: build
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
with:
file: Dockerfile
platforms: linux/amd64,linux/arm64
push: true
sbom: true
provenance: mode=max
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
-
name: Attest
uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v1
id: attest
with:
subject-name: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}-qemu
subject-digest: ${{ steps.build.outputs.digest }}
push-to-registry: true
-
name: Sign the images with GitHub OIDC Token
env:
DIGEST: ${{ steps.build.outputs.digest }}
TAGS: ${{ steps.meta.outputs.tags }}
run: |
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
cosign sign --yes ${images}