From 082bfbf2d27e05fe14fe0e592966694d8afdb768 Mon Sep 17 00:00:00 2001
From: Chris Penner <christopher.penner@gmail.com>
Date: Fri, 17 May 2024 09:53:15 -0700
Subject: [PATCH] Don't add attestations when we don't publish the build

---
 .github/workflows/ci.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index ea559e0..6271ad9 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -179,6 +179,7 @@ jobs:
       # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see "[AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds)."
       - name: Generate artifact attestation
         uses: actions/attest-build-provenance@v1.1.0
+        if: ${{ env.is_published_build }}
         with:
           subject-name: ${{ env.container_registry }}/${{ env.docker_image_name}}
           subject-digest: ${{ steps.push.outputs.digest }}