Add provenance to Docker image

Author: lucacome

.github/workflows/ci.yml

@@ -190,7 +190,7 @@ jobs:
           push: ${{ github.event_name != 'pull_request' }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
-          provenance: false
+          provenance: ${{ github.event_name != 'pull_request' && 'mode=max' || 'false' }}
           sbom: ${{ github.event_name != 'pull_request' }}
 
       - name: Scan image

README.md

@@ -478,6 +478,22 @@ For example to retrieve the SBOM for `linux/amd64` from Docker Hub and analyze i
 docker buildx imagetools inspect nginx/nginx-prometheus-exporter:edge --format '{{ json (index .SBOM "linux/amd64").SPDX }}' | grype
 ```
 
+## Provenance
+
+We generate provenance for the Docker image and it's available in the
+[DockerHub](https://hub.docker.com/r/nginx/nginx-prometheus-exporter),
+[GitHub Container registry](https://github.com/nginxinc/nginx-prometheus-exporter/pkgs/container/nginx-prometheus-exporter),
+[Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-prometheus-exporter) and
+[Quay.io](https://quay.io/repository/nginx/nginx-prometheus-exporter) repositories, stored as an attestation in the
+image manifest.
+
+For example to retrieve the provenance for `linux/amd64` from Docker Hub
+you can run the following command:
+
+```console
+docker buildx imagetools inspect nginx/nginx-prometheus-exporter:edge --format '{{ json (index .Provenance "linux/amd64").SLSA }}'
+```
+
 ## Contacts
 
 We’d like to hear your feedback! If you have any suggestions or experience issues with the NGINX Prometheus Exporter,