actions/attest-build-provenance

jqlang · Dec 11, 2024 · 7f162db · 7f162db
1 parent 8bcdc93
commit 7f162db
Showing 1 changed file with 35 additions and 1 deletion.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -7,6 +7,11 @@ on:
       - "jq-*"
   pull_request:
 
+permissions:
+  id-token: write
+  contents: read
+  attestations: write
+
 jobs:
   linux:
     strategy:
@@ -111,6 +116,10 @@ jobs:
           path: |
             test-suite.log
             tests/*.log
+      - name: attest-build-provenance
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: jq-${{ env.SUFFIX }}
       - name: Upload artifacts
         uses: actions/upload-artifact@v4
         with:
@@ -178,6 +187,10 @@ jobs:
           path: |
             test-suite.log
             tests/*.log
+      - name: attest-build-provenance
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: jq-${{ env.SUFFIX }}
       - name: Upload artifacts
         uses: actions/upload-artifact@v4
         with:
@@ -252,6 +265,10 @@ jobs:
           path: |
             test-suite.log
             tests/*.log
+      - name: attest-build-provenance
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: jq-${{ env.SUFFIX }}.exe
       - name: Upload artifacts
         uses: actions/upload-artifact@v4
         with:
@@ -281,6 +298,12 @@ jobs:
           make distcheck
           make dist dist-zip
           git diff --exit-code
+      - name: attest-build-provenance
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: |
+            jq-*.tar.gz
+            jq-*.zip
       - name: Upload artifacts
         uses: actions/upload-artifact@v4
         with:
@@ -294,6 +317,9 @@ jobs:
   docker:
     runs-on: ubuntu-latest
     permissions:
+      id-token: write
+      contents: read
+      attestations: write
       packages: write
     needs: linux
     steps:
@@ -329,7 +355,8 @@ jobs:
         id: metadata
         with:
           images: ghcr.io/${{ github.repository }}
-          tags: ${{ startsWith(github.ref, 'refs/tags/jq-')
+          tags: >
+            ${{ startsWith(github.ref, 'refs/tags/jq-')
             && format('type=match,pattern=jq-(.*),group=1,value={0}', github.ref_name)
             || 'type=sha,format=long' }}
       - name: Set up QEMU
@@ -343,6 +370,7 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build and release Docker image
+        id: attestation
         uses: docker/build-push-action@v6
         with:
           context: .
@@ -351,6 +379,12 @@ jobs:
           platforms: linux/386,linux/amd64,linux/arm64,linux/mips64le,linux/ppc64le,linux/riscv64,linux/s390x
           tags: ${{ steps.metadata.outputs.tags }}
           labels: ${{ steps.metadata.outputs.labels }}
+      - name: attest-build-provenance
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ghcr.io/${{ github.repository }}
+          subject-digest: ${{ steps.attestation.outputs.digest }}
+          push-to-registry: true
 
   release:
     runs-on: ubuntu-latest