diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d599d36753..c5fb392dc8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,6 +7,11 @@ on: - "jq-*" pull_request: +permissions: + id-token: write + contents: read + attestations: write + jobs: linux: strategy: @@ -111,6 +116,10 @@ jobs: path: | test-suite.log tests/*.log + - name: attest-build-provenance + uses: actions/attest-build-provenance@v2 + with: + subject-path: jq-${{ env.SUFFIX }} - name: Upload artifacts uses: actions/upload-artifact@v4 with: @@ -178,6 +187,10 @@ jobs: path: | test-suite.log tests/*.log + - name: attest-build-provenance + uses: actions/attest-build-provenance@v2 + with: + subject-path: jq-${{ env.SUFFIX }} - name: Upload artifacts uses: actions/upload-artifact@v4 with: @@ -252,6 +265,10 @@ jobs: path: | test-suite.log tests/*.log + - name: attest-build-provenance + uses: actions/attest-build-provenance@v2 + with: + subject-path: jq-${{ env.SUFFIX }}.exe - name: Upload artifacts uses: actions/upload-artifact@v4 with: @@ -281,6 +298,12 @@ jobs: make distcheck make dist dist-zip git diff --exit-code + - name: attest-build-provenance + uses: actions/attest-build-provenance@v2 + with: + subject-path: | + jq-*.tar.gz + jq-*.zip - name: Upload artifacts uses: actions/upload-artifact@v4 with: @@ -294,6 +317,9 @@ jobs: docker: runs-on: ubuntu-latest permissions: + id-token: write + contents: read + attestations: write packages: write needs: linux steps: @@ -329,7 +355,8 @@ jobs: id: metadata with: images: ghcr.io/${{ github.repository }} - tags: ${{ startsWith(github.ref, 'refs/tags/jq-') + tags: > + ${{ startsWith(github.ref, 'refs/tags/jq-') && format('type=match,pattern=jq-(.*),group=1,value={0}', github.ref_name) || 'type=sha,format=long' }} - name: Set up QEMU @@ -343,6 +370,7 @@ jobs: username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and release Docker image + id: attestation uses: docker/build-push-action@v6 with: context: . @@ -351,6 +379,12 @@ jobs: platforms: linux/386,linux/amd64,linux/arm64,linux/mips64le,linux/ppc64le,linux/riscv64,linux/s390x tags: ${{ steps.metadata.outputs.tags }} labels: ${{ steps.metadata.outputs.labels }} + - name: attest-build-provenance + uses: actions/attest-build-provenance@v2 + with: + subject-name: ghcr.io/${{ github.repository }} + subject-digest: ${{ steps.attestation.outputs.digest }} + push-to-registry: true release: runs-on: ubuntu-latest