Skip to content

Attest Image (Google Artifact Registry) #37

Attest Image (Google Artifact Registry)

Attest Image (Google Artifact Registry) #37

Workflow file for this run

name: Attest Image (Google Artifact Registry)
on:
workflow_dispatch:
inputs:
buildx:
description: 'Use docker buildx'
type: boolean
required: false
default: true
jobs:
build-image-gar:
name: Build & Attest
runs-on: ubuntu-latest
permissions:
id-token: write
attestations: write
env:
REGISTRY: us-west1-docker.pkg.dev
IMAGE_NAME: dehamer24/${{ github.repository }}
steps:
- name: Build artifact
run: date > artifact.bin
- name: Build Dockerfile
run: |
cat <<EOF > Dockerfile
FROM scratch
COPY artifact.bin .
EOF
- name: Set up QEMU
if: inputs.buildx
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
if: inputs.buildx
uses: docker/setup-buildx-action@v3
- uses: 'google-github-actions/auth@v2'
id: auth
with:
workload_identity_provider: ${{ vars.GCLOUD_WIF_PROVIDER }}
service_account: ${{ vars.GCLOUD_SERVICE_ACCOUNT }}
token_format: access_token
- name: Auth w/ registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
- name: Build and push Docker image
id: push
uses: docker/build-push-action@v5.0.0
with:
context: .
push: true
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
- name: Attest artifact
uses: actions/attest-build-provenance@v1
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: true
- name: Fetch artifact index
run: |
oras discover --format json ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest | jq