From 2ea6be0aa6c1c8f6d3765e0d6108fe0345fc4372 Mon Sep 17 00:00:00 2001 From: "JM (Jason Meridth)" Date: Sat, 25 Jan 2025 10:34:57 -0600 Subject: [PATCH 1/2] ci: enable attestations again (#43) - [x] update docs this time - [x] update auto-labeler permissions since change in previous PR Signed-off-by: jmeridth --- .github/workflows/release-image.yaml | 11 +++++++++++ .github/workflows/test-release.yaml | 1 + docs/auto-labeler.md | 1 - docs/release-image.md | 2 ++ 4 files changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-image.yaml b/.github/workflows/release-image.yaml index 93a2f8b..397c10c 100644 --- a/.github/workflows/release-image.yaml +++ b/.github/workflows/release-image.yaml @@ -12,6 +12,10 @@ on: short-tag: required: true type: string + create-attestation: + required: false + type: boolean + default: false secrets: github-token: required: true @@ -58,3 +62,10 @@ jobs: platforms: linux/amd64,linux/arm64 provenance: false sbom: false + - name: Generate artifact attestation + if: ${{ inputs.create-attestation }} + uses: actions/attest-build-provenance@v2 + with: + subject-name: ${{ env.IMAGE_REGISTRY }}/${{ inputs.image-name}} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true diff --git a/.github/workflows/test-release.yaml b/.github/workflows/test-release.yaml index 56ea5a6..fe552f3 100644 --- a/.github/workflows/test-release.yaml +++ b/.github/workflows/test-release.yaml @@ -34,6 +34,7 @@ jobs: image-registry: ghcr.io image-registry-username: ${{ github.actor }} image-registry-password: ${{ secrets.GITHUB_TOKEN }} + create-attestation: true release_discussion: needs: release permissions: diff --git a/docs/auto-labeler.md b/docs/auto-labeler.md index 30dc6b1..6c0a8d8 100644 --- a/docs/auto-labeler.md +++ b/docs/auto-labeler.md @@ -5,7 +5,6 @@ ```yaml - uses: github/ospo-reusable-workflows/.github/workflows/auto-labeler.yml@main permissions: - contents: write pull-requests: write with: # The name of the configuration file to use, default is release-drafter.yml diff --git a/docs/release-image.md b/docs/release-image.md index 72fc1e4..97b6bd8 100644 --- a/docs/release-image.md +++ b/docs/release-image.md @@ -16,6 +16,8 @@ full-tag: v1.0.0 # Short tag of the image, usually the major version (v1) short-tag: v1 + # Flag to create an attestation + create-attestation: true secrets: # The GitHub token to use github-token: ${{ secrets.GITHUB_TOKEN }} From f5b528291786ca297151b67ace6dd2628bdd267b Mon Sep 17 00:00:00 2001 From: "JM (Jason Meridth)" Date: Sat, 25 Jan 2025 10:38:49 -0600 Subject: [PATCH 2/2] fix: put argument in correct section, config, not secrets (#44) Signed-off-by: jmeridth --- .github/workflows/test-release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-release.yaml b/.github/workflows/test-release.yaml index fe552f3..31587e1 100644 --- a/.github/workflows/test-release.yaml +++ b/.github/workflows/test-release.yaml @@ -29,12 +29,12 @@ jobs: image-name: ${{ github.repository }} full-tag: ${{ needs.release.outputs.full-tag }} short-tag: ${{ needs.release.outputs.short-tag }} + create-attestation: true secrets: github-token: ${{ secrets.GITHUB_TOKEN }} image-registry: ghcr.io image-registry-username: ${{ github.actor }} image-registry-password: ${{ secrets.GITHUB_TOKEN }} - create-attestation: true release_discussion: needs: release permissions: