Adding attestation and permissions for standalone image

wileyj · wileyj · commit 76f651728197 · 2025-04-08T12:15:10.000-07:00
diff --git a/.github/workflows/image-build-source.yml b/.github/workflows/image-build-source.yml
@@ -23,6 +23,9 @@ jobs:
     runs-on: ubuntu-latest
     ## Requires the repo environment "Push to Docker", which will trigger a secondary approval step before running this workflow.
     environment: "Push to Docker"
+    permissions:
+      id-token: write
+      attestations: write
     steps:
       ## Setup Docker for the builds
       - name: Docker setup
@@ -68,3 +71,24 @@ jobs:
             GIT_COMMIT=${{ env.GITHUB_SHA_SHORT }}
             TARGET_CPU=x86-64-v3
           push: ${{ env.DOCKER_PUSH }}
+
+      ## Generate docker image attestation(s)
+      - name: Generate artifact attestation (${{ github.event.repository.name }})
+        id: attest_primary
+        uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3
+        with:
+          # subject-name: index.docker.io/${{ env.docker-org }}/${{ github.event.repository.name }}
+          subject-name:  |
+            index.docker.io/${{env.docker-org}}/${{ github.event.repository.name }}
+          subject-digest: ${{ steps.docker_build.outputs.digest }}
+          push-to-registry: true
+
+      - name: Generate artifact attestation (stacks-blockchain)
+        id: attest_secondary
+        uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3
+        with:
+          # subject-name: index.docker.io/${{ env.docker-org }}/${{ github.event.repository.name }}
+          subject-name:  |
+            index.docker.io/${{env.docker-org}}/stacks-blockchain
+          subject-digest: ${{ steps.docker_build.outputs.digest }}
+          push-to-registry: true
