diff --git a/.github/workflows/docker-hub-develop.yml b/.github/workflows/docker-hub-develop.yml index 4cb6eaa4..88c65579 100644 --- a/.github/workflows/docker-hub-develop.yml +++ b/.github/workflows/docker-hub-develop.yml @@ -16,6 +16,11 @@ env: jobs: docker-latest: runs-on: ubuntu-latest + permissions: + id-token: write + packages: write + contents: read + attestations: write steps: - name: Check out uses: actions/checkout@v4 @@ -26,10 +31,12 @@ jobs: # Needed for multi platform builds - name: Set up QEMU - uses: docker/setup-qemu-action@v3.0.0 + uses: docker/setup-qemu-action@v3 + with: + platforms: ${{ env.PLATFORMS }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3.3.0 + uses: docker/setup-buildx-action@v3 - name: Log in to Docker Hub uses: docker/login-action@v3 @@ -38,6 +45,7 @@ jobs: password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build image + id: push uses: docker/build-push-action@v5 with: context: . @@ -46,3 +54,11 @@ jobs: push: ${{ env.PUSH }} tags: | ${{ env.DOCKER_NAMESPACE }}/draupnir:develop + + - name: Attest + uses: actions/attest-build-provenance@v1 + id: attest + with: + subject-name: ${{ env.DOCKER_NAMESPACE }}/draupnir:develop + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true diff --git a/.github/workflows/docker-hub-latest.yml b/.github/workflows/docker-hub-latest.yml index ddcec01d..38110dbe 100644 --- a/.github/workflows/docker-hub-latest.yml +++ b/.github/workflows/docker-hub-latest.yml @@ -14,6 +14,11 @@ env: jobs: docker-release: runs-on: ubuntu-latest + permissions: + id-token: write + packages: write + contents: read + attestations: write steps: - name: Check out uses: actions/checkout@v4 @@ -26,10 +31,12 @@ jobs: # Needed for multi platform builds - name: Set up QEMU - uses: docker/setup-qemu-action@v3.0.0 + uses: docker/setup-qemu-action@v3 + with: + platforms: ${{ env.PLATFORMS }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3.3.0 + uses: docker/setup-buildx-action@v3 - name: Log in to Docker Hub uses: docker/login-action@v3 @@ -38,11 +45,21 @@ jobs: password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build image + id: push uses: docker/build-push-action@v5 with: context: . file: ./Dockerfile platforms: ${{ env.PLATFORMS }} push: true + sbom: true tags: | ${{ env.DOCKER_NAMESPACE }}/draupnir:latest + + - name: Attest + uses: actions/attest-build-provenance@v1 + id: attest + with: + subject-name: ${{ env.DOCKER_NAMESPACE }}/draupnir:latest + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true diff --git a/.github/workflows/docker-hub-release.yml b/.github/workflows/docker-hub-release.yml index 03958c6d..aa080aa3 100644 --- a/.github/workflows/docker-hub-release.yml +++ b/.github/workflows/docker-hub-release.yml @@ -14,6 +14,11 @@ env: jobs: docker-release: runs-on: ubuntu-latest + permissions: + id-token: write + packages: write + contents: read + attestations: write steps: - name: Check out uses: actions/checkout@v4 @@ -26,10 +31,12 @@ jobs: # Needed for multi platform builds - name: Set up QEMU - uses: docker/setup-qemu-action@v3.0.0 + uses: docker/setup-qemu-action@v3 + with: + platforms: ${{ env.PLATFORMS }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3.3.0 + uses: docker/setup-buildx-action@v3 - name: Log in to Docker Hub uses: docker/login-action@v3 @@ -38,11 +45,21 @@ jobs: password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build image + id: push uses: docker/build-push-action@v5 with: context: . file: ./Dockerfile platforms: ${{ env.PLATFORMS }} push: true + sbom: true tags: | ${{ env.DOCKER_NAMESPACE }}/draupnir:${{ env.RELEASE_VERSION }} + + - name: Attest + uses: actions/attest-build-provenance@v1 + id: attest + with: + subject-name: ${{ env.DOCKER_NAMESPACE }}/draupnir:${{ env.RELEASE_VERSION }} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true