Commit 649c667
authored
Add attestation to built images (#2)
This PR adds attestation to the Docker images, allowing anyone to verify
they were built within the GitHub Actions workflow.
From [the GitHub
docs](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds):
> Artifact attestations enable you to create unfalsifiable provenance
and integrity guarantees for the software you build. In turn, people who
consume your software can verify where and how your software was built.
>
> When you generate artifact attestations with your software, you create
cryptographically signed claims that establish your build's provenance
and include the following information:
>
> - A link to the workflow associated with the artifact.
> - The repository, organization, environment, commit SHA, and
triggering event for the artifact.
> - Other information from the OIDC token used to establish provenance.
For more information, see [About security hardening with OpenID
Connect](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect).1 parent def8bcf commit 649c667
1 file changed
+13
-0
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
4 | 4 | | |
5 | 5 | | |
6 | 6 | | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
7 | 13 | | |
8 | 14 | | |
9 | 15 | | |
| |||
27 | 33 | | |
28 | 34 | | |
29 | 35 | | |
| 36 | + | |
30 | 37 | | |
31 | 38 | | |
32 | 39 | | |
33 | 40 | | |
34 | 41 | | |
35 | 42 | | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
0 commit comments