diff --git a/.github/workflows/release-image.yaml b/.github/workflows/release-image.yaml index 93a2f8b..397c10c 100644 --- a/.github/workflows/release-image.yaml +++ b/.github/workflows/release-image.yaml @@ -12,6 +12,10 @@ on: short-tag: required: true type: string + create-attestation: + required: false + type: boolean + default: false secrets: github-token: required: true @@ -58,3 +62,10 @@ jobs: platforms: linux/amd64,linux/arm64 provenance: false sbom: false + - name: Generate artifact attestation + if: ${{ inputs.create-attestation }} + uses: actions/attest-build-provenance@v2 + with: + subject-name: ${{ env.IMAGE_REGISTRY }}/${{ inputs.image-name}} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true diff --git a/.github/workflows/test-release.yaml b/.github/workflows/test-release.yaml index 56ea5a6..31587e1 100644 --- a/.github/workflows/test-release.yaml +++ b/.github/workflows/test-release.yaml @@ -29,6 +29,7 @@ jobs: image-name: ${{ github.repository }} full-tag: ${{ needs.release.outputs.full-tag }} short-tag: ${{ needs.release.outputs.short-tag }} + create-attestation: true secrets: github-token: ${{ secrets.GITHUB_TOKEN }} image-registry: ghcr.io diff --git a/docs/auto-labeler.md b/docs/auto-labeler.md index 30dc6b1..6c0a8d8 100644 --- a/docs/auto-labeler.md +++ b/docs/auto-labeler.md @@ -5,7 +5,6 @@ ```yaml - uses: github/ospo-reusable-workflows/.github/workflows/auto-labeler.yml@main permissions: - contents: write pull-requests: write with: # The name of the configuration file to use, default is release-drafter.yml diff --git a/docs/release-image.md b/docs/release-image.md index 72fc1e4..97b6bd8 100644 --- a/docs/release-image.md +++ b/docs/release-image.md @@ -16,6 +16,8 @@ full-tag: v1.0.0 # Short tag of the image, usually the major version (v1) short-tag: v1 + # Flag to create an attestation + create-attestation: true secrets: # The GitHub token to use github-token: ${{ secrets.GITHUB_TOKEN }}