SRE-2916: Publish build attestation to GH. (#43)

ivan-chepurin-immutable · web-flow · commit f19920a2a788 · 2025-06-24T10:16:39.000+10:00
diff --git a/.github/actions/push/action.yaml b/.github/actions/push/action.yaml
@@ -16,6 +16,11 @@ inputs:
     required: false
     type: string
 
+outputs:
+  digest:
+    description: "The digest of the built image"
+    value: ${{ steps.build.outputs.digest }}
+
 runs:
   using: "composite"
   steps:
@@ -67,6 +72,7 @@ runs:
         endpoint: builders
 
     - name: Build and push
+      id: build
       uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # pin@v6.15.0
       with:
         context: .
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -10,6 +10,10 @@ jobs:
   push:
     name: Push Docker
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      attestations: write
+      packages: write
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin@v4.2.2
@@ -23,6 +27,15 @@ jobs:
           echo TAGS="ghcr.io/${{ github.repository }}/immutable-geth:unstable-$BUILD_TIMESTAMP-git.$SHORT_SHA" >> $GITHUB_ENV
 
       - uses: ./.github/actions/push
+        id: push
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           tags: ${{ env.TAGS }}
+
+      - name: Attest
+        uses: actions/attest-build-provenance@v2
+        id: attest
+        with:
+          subject-name: ghcr.io/${{ github.repository }}/immutable-geth
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: false
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -8,6 +8,10 @@ jobs:
   push:
     name: Push Docker
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      attestations: write
+      packages: write
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin@v4.2.2
@@ -16,6 +20,15 @@ jobs:
         run: echo "TAG=$(echo ${GITHUB_REF} | sed 's/refs\/tags\///')" >> $GITHUB_ENV
 
       - uses: ./.github/actions/push
+        id: push
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           tags: "ghcr.io/${{ github.repository }}/immutable-geth:latest,ghcr.io/${{ github.repository }}/immutable-geth:${{ env.TAG }}"
+      
+      - name: Attest
+        uses: actions/attest-build-provenance@v2
+        id: attest
+        with:
+          subject-name: ghcr.io/${{ github.repository }}/immutable-geth
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: false
