Build

feat(ci): generate and push build provenance attestations #44

Summary
Jobs
- main
Run details
- Usage
- Workflow file

Workflow file for this run

	name: Build

	permissions:
	contents: read
	id-token: write
	packages: write

	on:
	pull_request:
	types:
	- edited
	- opened
	- ready_for_review
	- synchronize

	push:
	branches:
	- main
	paths:
	- go.mod
	- go.sum
	- "*/.go"
	- Dockerfile
	- .github/workflows/build.yml

	release:
	types:
	- created

	merge_group:

	jobs:
	main:
	permissions:
	attestations: write
	contents: read
	id-token: write
	packages: write

	runs-on: ubuntu-latest

	env:
	REGISTRY: ghcr.io
	IMAGE: grafana/generate-policy-bot-config
	PUSH_IMAGE: true
	# ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}

	steps:
	- name: Checkout
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

	- name: Set Docker Buildx up
	uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1

	- name: Log into GHCR
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ github.token }}

	- name: Calculate image metadata
	id: calculate-metadata
	uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
	with:
	images: ${{ env.REGISTRY }}/${{ env.IMAGE }}
	tags: \|
	# tag with branch name for `main`
	type=ref,event=branch,enable={{is_default_branch}}
	# tag with semver, and `latest`
	type=ref,event=tag
	# tag with pr-<number>-<sha>
	type=ref,suffix=-{{sha}},event=pr

	- name: Build and push
	id: build
	uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
	with:
	labels: ${{ steps.calculate-metadata.outputs.labels }}
	platforms: linux/amd64,linux/arm64
	provenance: true
	push: ${{ env.PUSH_IMAGE }}
	sbom: true
	tags: ${{ steps.calculate-metadata.outputs.tags }}

	- name: Extract platform-specific digests
	id: platform-digests
	run: \|
	REGISTRY_REF="${{ steps.calculate-metadata.outputs.tags }}"
	BASE_REF="${REGISTRY_REF%%:*}"

	# Get digests for each platform
	MANIFEST_JSON="$(docker buildx imagetools inspect "${REGISTRY_REF}" --format '{{json .}}')"

	# Create fully qualified references and extract digests
	for arch in amd64 arm64; do
	ARCH_REF="$(jq -r ".manifest.manifests[] \| select(.platform.architecture == \"${arch}\").digest" <<< "${MANIFEST_JSON}")"
	echo "${arch}_ref=${BASE_REF}@${ARCH_REF}" \| tee -a "${GITHUB_ENV}"
	done

	- name: Extract SBOMs
	run: \|
	mkdir -p sboms

	# Extract SBOM for AMD64
	docker buildx imagetools inspect ${{ steps.platform-digests.outputs.amd64_ref }} --format '{{json .SBOM.SPDX}}' > sboms/amd64.spdx.json

	# Extract SBOM for ARM64
	docker buildx imagetools inspect ${{ steps.platform-digests.outputs.arm64_ref }} --format '{{json .SBOM.SPDX}}' > sboms/arm64.spdx.json

	- name: Attest AMD64 SBOM
	uses: actions/attest-sbom@5026d3663739160db546203eeaffa6aa1c51a4d6 # v1.4.1
	with:
	subject-name: ${{ steps.platform-digests.outputs.amd64_ref }}
	subject-digest: ${{ steps.platform-digests.outputs.amd64_ref }}
	sbom-path: sboms/amd64.spdx.json
	push-to-registry: true

	- name: Attest ARM64 SBOM
	uses: actions/attest-sbom@5026d3663739160db546203eeaffa6aa1c51a4d6 # v1.4.1
	with:
	subject-name: ${{ steps.platform-digests.outputs.arm64_ref }}
	subject-digest: ${{ steps.platform-digests.outputs.arm64_ref }}
	sbom-path: sboms/arm64.spdx.json
	push-to-registry: true

	- name: Generate build provenance attestation
	if: env.PUSH_IMAGE
	uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
	with:
	subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE }}
	subject-digest: ${{ steps.build.outputs.digest }}
	push-to-registry: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(ci): generate and push build provenance attestations #44

Workflow file

feat(ci): generate and push build provenance attestations #44

Jobs

Run details

Workflow file for this run