new(CI): add provenance for ecr image

Signed-off-by: Aldo Lacuku <[email protected]>
falcosecurity · Feb 22, 2024 · 2b60f31 · 2b60f31
1 parent 6c90d6a
commit 2b60f31
Showing 1 changed file with 15 additions and 1 deletion.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -120,7 +120,7 @@ jobs:
       build_date: ${{ needs.docker-configure.outputs.build_date }}
       sign: true
 
-  provenance-for-images:
+  provenance-for-images-docker:
     needs: [docker-configure, docker-image]
     permissions:
       actions: read # for detecting the Github Actions environment.
@@ -136,3 +136,17 @@ jobs:
     secrets:
       registry-username: ${{ secrets.DOCKERHUB_USER }}
       registry-password: ${{ secrets.DOCKERHUB_SECRET }}
+
+  provenance-for-images-aws-ecr:
+    needs: [docker-configure, docker-image]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      image: public.ecr.aws/falcosecurity/falcoctl
+      # The image digest is used to prevent TOCTOU issues.
+      # This is an output of the docker/build-push-action
+      # See: https://github.com/slsa-framework/slsa-verifier#toctou-attacks
+      digest: ${{ needs.docker-image.outputs.digest }}