Add SBOM and Attestation to the Docker release process (#477)

* feat: Add SBOM and Attestation to the Docker release process. Also ensure we only deploy platforms on the qemu action as needed and update versions.

This also limits the permissions used

* fix: Make sure there is an empty line at the end of the file

* Fix the qemu platforms

.github/workflows/docker-hub-develop.yml

@@ -16,6 +16,11 @@ env:
 jobs:
   docker-latest:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+      attestations: write
     steps:
       - name: Check out
         uses: actions/checkout@v4
@@ -26,10 +31,12 @@ jobs:
 
       # Needed for multi platform builds
       - name: Set up QEMU
-        uses: docker/[email protected]
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: ${{ env.PLATFORMS }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3.3.0
+        uses: docker/setup-buildx-action@v3
 
       - name: Log in to Docker Hub
         uses: docker/login-action@v3
@@ -38,6 +45,7 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Build image
+        id: push
         uses: docker/build-push-action@v5
         with:
           context: .
@@ -46,3 +54,11 @@ jobs:
           push: ${{ env.PUSH }}
           tags: |
             ${{ env.DOCKER_NAMESPACE }}/draupnir:develop
+
+      - name: Attest
+        uses: actions/attest-build-provenance@v1
+        id: attest
+        with:
+          subject-name: ${{ env.DOCKER_NAMESPACE }}/draupnir:develop
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true

.github/workflows/docker-hub-latest.yml

@@ -14,6 +14,11 @@ env:
 jobs:
   docker-release:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+      attestations: write
     steps:
       - name: Check out
         uses: actions/checkout@v4
@@ -26,10 +31,12 @@ jobs:
 
       # Needed for multi platform builds
       - name: Set up QEMU
-        uses: docker/[email protected]
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: ${{ env.PLATFORMS }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3.3.0
+        uses: docker/setup-buildx-action@v3
 
       - name: Log in to Docker Hub
         uses: docker/login-action@v3
@@ -38,11 +45,21 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Build image
+        id: push
         uses: docker/build-push-action@v5
         with:
           context: .
           file: ./Dockerfile
           platforms: ${{ env.PLATFORMS }}
           push: true
+          sbom: true
           tags: |
             ${{ env.DOCKER_NAMESPACE }}/draupnir:latest
+
+      - name: Attest
+        uses: actions/attest-build-provenance@v1
+        id: attest
+        with:
+          subject-name: ${{ env.DOCKER_NAMESPACE }}/draupnir:latest
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true

.github/workflows/docker-hub-release.yml

@@ -14,6 +14,11 @@ env:
 jobs:
   docker-release:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+      attestations: write
     steps:
       - name: Check out
         uses: actions/checkout@v4
@@ -26,10 +31,12 @@ jobs:
 
       # Needed for multi platform builds
       - name: Set up QEMU
-        uses: docker/[email protected]
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: ${{ env.PLATFORMS }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3.3.0
+        uses: docker/setup-buildx-action@v3
 
       - name: Log in to Docker Hub
         uses: docker/login-action@v3
@@ -38,11 +45,21 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Build image
+        id: push
         uses: docker/build-push-action@v5
         with:
           context: .
           file: ./Dockerfile
           platforms: ${{ env.PLATFORMS }}
           push: true
+          sbom: true
           tags: |
             ${{ env.DOCKER_NAMESPACE }}/draupnir:${{ env.RELEASE_VERSION }}
+
+      - name: Attest
+        uses: actions/attest-build-provenance@v1
+        id: attest
+        with:
+          subject-name: ${{ env.DOCKER_NAMESPACE }}/draupnir:${{ env.RELEASE_VERSION }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true