From 9f043ce4098a243ac3fc94b84f6837cbc49b991e Mon Sep 17 00:00:00 2001
From: Kevin Lu <6320810+kevinlul@users.noreply.github.com>
Date: Thu, 30 May 2024 20:00:34 -0400
Subject: [PATCH] Add attestations (#597)

https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
https://docs.docker.com/build/ci/github-actions/attestations/
---
 .github/workflows/docker.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 76e58065..2b2519f3 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -50,6 +50,7 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - uses: docker/build-push-action@v5
+        id: build-push
         with:
           push: ${{ github.event_name == 'push' }}
           tags: ${{ steps.meta.outputs.tags }}
@@ -58,3 +59,10 @@ jobs:
           pull: true
           cache-from: type=local,src=/tmp/.buildx-cache
           cache-to: type=local,dest=/tmp/.buildx-cache,mode=max
+          sbom: ${{ github.event_name == 'push' }}
+      - uses: actions/attest-build-provenance@v1
+        if: ${{ github.event_name == 'push' }}
+        with:
+          subject-name: ${{ steps.meta.outputs.tags[0] }}
+          subject-digest: ${{ steps.build-push.outputs.digest }}
+          push-to-registry: true