try docker provenance/sbom

Signed-off-by: Brian DeHamer <bdehamer@github.com>
bdehamer · May 13, 2024 · 6c73918 · 6c73918
1 parent 1be851e
commit 6c73918
Showing 1 changed file with 29 additions and 2 deletions.
diff --git a/.github/workflows/image.yml b/.github/workflows/image.yml
@@ -15,16 +15,43 @@ jobs:
       REGISTRY: ghcr.io
       IMAGE_NAME: ${{ github.repository }}
     steps:
+      - name: Build artifact
+        run: date > artifact.bin
+
+      - name: Build Dockerfile
+        run: |
+          cat <<EOF > Dockerfile
+          FROM scratch
+          COPY artifact.bin .
+          EOF
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
+
       - name: Login to GHCR
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        id: build-and-push
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
+        with:
+          context: .
+          platforms: 'linux/amd64,linux/arm64'
+          push: true
+          sbom: true
+          provenance: true
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+
       - name: Attest artifact
         uses: actions/attest-build-provenance@v1
         with:
           subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          subject-digest: sha256:458e52976b041df295e2de3b370168c387e91e78a3ecf813c6db66c37590440c
-          push-to-registry: true
+          subject-digest: ${{ steps.build-and-push.outputs.digest }}