Skip to content

Commit 8879a04

Browse files
committed
ci(docker-publish): 👷 Enhance Docker publish workflow security and permissions
- Configure required permissions for package registry and attestations - Enable build provenance attestation using actions/attest-build-provenance@v2
1 parent d05c55f commit 8879a04

File tree

1 file changed

+12
-0
lines changed

1 file changed

+12
-0
lines changed

.github/workflows/docker-publish.yml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,11 @@ on:
1717
jobs:
1818
docker:
1919
runs-on: ubuntu-latest
20+
permissions:
21+
contents: read
22+
packages: write
23+
attestations: write
24+
id-token: write
2025
steps:
2126
- uses: actions/checkout@v4
2227
- uses: docker/setup-qemu-action@v3
@@ -39,6 +44,7 @@ jobs:
3944
tags: |
4045
type=raw,value=${{ env.RELEASE_VERSION }}
4146
- uses: docker/build-push-action@v5
47+
id: build
4248
with:
4349
context: .
4450
target: mermaid
@@ -47,3 +53,9 @@ jobs:
4753
pull: true
4854
tags: ${{ steps.meta.outputs.tags }}
4955
labels: ${{ steps.meta.outputs.labels }}
56+
- name: Generate Build Attestation
57+
uses: actions/attest-build-provenance@v2
58+
with:
59+
subject-name: ghcr.io/${{ github.repository }}
60+
subject-digest: ${{ steps.build.outputs.digest }}
61+
push-to-registry: true

0 commit comments

Comments
 (0)