ci: attestations for binaries and images (#279)

Signed-off-by: Chris Gianelloni <wolf31o2@blinklabs.io>
blinklabs-io · Dec 14, 2024 · 0beb626 · 0beb626
1 parent 5480f27
commit 0beb626
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 1 deletion.
diff --git a/.github/workflows/ci-docker.yml b/.github/workflows/ci-docker.yml
@@ -14,6 +14,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          fetch-depth: '0'
       - name: qemu
         uses: docker/setup-qemu-action@v3
       - uses: docker/setup-buildx-action@v3

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -45,9 +45,19 @@ jobs:
         arch: [amd64, arm64]
     runs-on: ubuntu-latest
     needs: [create-draft-release]
+    permissions:
+      actions: write
+      attestations: write
+      checks: write
+      contents: write
+      id-token: write
+      packages: write
+      statuses: write
     steps:
       - run: "echo \"RELEASE_TAG=${GITHUB_REF#refs/tags/}\" >> $GITHUB_ENV"
       - uses: actions/checkout@v4
+        with:
+          fetch-depth: '0'
       - uses: actions/setup-go@v5
         with:
           go-version: 1.22.x
@@ -60,19 +70,33 @@ jobs:
           if [[ ${{ matrix.os }} == windows ]]; then
             _filename=${_filename}.exe
           fi
-          mv tx-submit-api ${_filename}
+          cp tx-submit-api ${_filename}
           curl \
             -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
             -H "Content-Type: application/octet-stream" \
             --data-binary @${_filename} \
             https://uploads.github.com/repos/${{ github.repository_owner }}/tx-submit-api/releases/${{ needs.create-draft-release.outputs.RELEASE_ID }}/assets?name=${_filename}
+      - name: Attest binary
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: 'tx-submit-api'
 
   build-images:
     runs-on: ubuntu-latest
     needs: [create-draft-release]
+    permissions:
+      actions: write
+      attestations: write
+      checks: write
+      contents: write
+      id-token: write
+      packages: write
+      statuses: write
     steps:
       - run: "echo \"RELEASE_TAG=${GITHUB_REF#refs/tags/}\" >> $GITHUB_ENV"
       - uses: actions/checkout@v4
+        with:
+          fetch-depth: '0'
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
@@ -103,11 +127,24 @@ jobs:
             type=semver,pattern={{version}}
       - name: Build images
         uses: docker/build-push-action@v6
+        id: push
         with:
           outputs: "type=registry,push=true"
           platforms: linux/amd64,linux/arm64
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+      - name: Attest Docker Hub image
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: index.docker.io/blinklabs/tx-submit-api
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
+      - name: Attest GHCR image
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ghcr.io/${{ github.repository }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
       # Update Docker Hub from README
       - name: Docker Hub Description
         uses: peter-evans/dockerhub-description@v4