ci: enable attestations on binaries and images (#313)

wolf31o2 · web-flow · commit a4d73c1d4818 · 2024-12-10T15:20:18.000-05:00
Signed-off-by: Chris Gianelloni &lt;wolf31o2@blinklabs.io&gt;
diff --git a/.github/workflows/ci-docker.yml b/.github/workflows/ci-docker.yml
@@ -14,6 +14,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          fetch-depth: '0'
       - name: qemu
         uses: docker/setup-qemu-action@v3
       - uses: docker/setup-buildx-action@v3
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -44,10 +44,16 @@ jobs:
         os: [linux, darwin, freebsd, windows]
         arch: [amd64, arm64]
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
     needs: [create-draft-release]
     steps:
       - run: "echo \"RELEASE_TAG=${GITHUB_REF#refs/tags/}\" >> $GITHUB_ENV"
       - uses: actions/checkout@v4
+        with:
+          fetch-depth: '0'
       - uses: actions/setup-go@v5
         with:
           go-version: 1.22.x
@@ -60,19 +66,30 @@ jobs:
           if [[ ${{ matrix.os }} == windows ]]; then
             _filename=${_filename}.exe
           fi
-          mv cardano-node-api ${_filename}
+          cp cardano-node-api ${_filename}
           curl \
             -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
             -H "Content-Type: application/octet-stream" \
             --data-binary @${_filename} \
             https://uploads.github.com/repos/${{ github.repository_owner }}/cardano-node-api/releases/${{ needs.create-draft-release.outputs.RELEASE_ID }}/assets?name=${_filename}
+      - name: Attest binary
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: 'cardano-node-api'
 
   build-images:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
+      packages: write
     needs: [create-draft-release]
     steps:
       - run: "echo \"RELEASE_TAG=${GITHUB_REF#refs/tags/}\" >> $GITHUB_ENV"
       - uses: actions/checkout@v4
+        with:
+          fetch-depth: '0'
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
@@ -102,12 +119,25 @@ jobs:
             # semver
             type=semver,pattern={{version}}
       - name: Build images
+        id: push
         uses: docker/build-push-action@v6
         with:
           outputs: "type=registry,push=true"
           platforms: linux/amd64,linux/arm64
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+      - name: Attest Docker Hub image
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: index.docker.io/blinklabs/cardano-node-api
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
+      - name: Attest GHCR image
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ghcr.io/${{ github.repository }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
       # Update Docker Hub from README
       - name: Docker Hub Description
         uses: peter-evans/dockerhub-description@v4
