diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index fae55e6d5642c..e49cea599d124 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -23,6 +23,10 @@ jobs: fail-fast: false matrix: version: ["18.04", "20.04", "22.04", "24.04"] + permissions: + contents: read # for code access + attestations: write # for actions/attest-build-provenance + id-token: write # for actions/attest-build-provenance steps: - name: Checkout uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 diff --git a/.github/workflows/pkg-installer.yml b/.github/workflows/pkg-installer.yml index 5abe7152c9f9f..5261c8f484d37 100644 --- a/.github/workflows/pkg-installer.yml +++ b/.github/workflows/pkg-installer.yml @@ -19,6 +19,10 @@ jobs: build: if: github.repository_owner == 'Homebrew' runs-on: macos-latest + permissions: + contents: read # for code access + attestations: write # for actions/attest-build-provenance + id-token: write # for actions/attest-build-provenance outputs: installer_path: "Homebrew-${{ steps.homebrew-version.outputs.version }}.pkg" env: @@ -119,6 +123,11 @@ jobs: security delete-keychain "${RUNNER_TEMP}/${TEMPORARY_KEYCHAIN_FILE}" fi + - name: Generate build provenance + uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0 # v1.3.3 + with: + subject-path: Homebrew-${{ steps.homebrew-version.outputs.version }}.pkg + - name: Upload installer to GitHub Actions uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4 with: diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 79d48a7700b8b..93c873c70960f 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -239,14 +239,30 @@ jobs: - name: Deploy the Docker image to GitHub Packages and Docker Hub if: github.ref == 'refs/heads/master' run: | - echo ${{secrets.HOMEBREW_BREW_GITHUB_PACKAGES_TOKEN}} | + echo ${{ secrets.HOMEBREW_BREW_GITHUB_PACKAGES_TOKEN }} | docker login ghcr.io -u BrewTestBot --password-stdin - docker tag brew "ghcr.io/homebrew/ubuntu22.04:master" - docker push "ghcr.io/homebrew/ubuntu22.04:master" - echo ${{secrets.HOMEBREW_BREW_DOCKER_TOKEN}} | + docker tag brew "ghcr.io/homebrew/ubuntu22.04:${{ github.ref_name }}" + docker push "ghcr.io/homebrew/ubuntu22.04:${{ github.ref_name }}" + echo ${{ secrets.HOMEBREW_BREW_DOCKER_TOKEN }} | docker login -u brewtestbot --password-stdin - docker tag brew "homebrew/ubuntu22.04:master" - docker push "homebrew/ubuntu22.04:master" + docker tag brew "homebrew/ubuntu22.04:${{ github.ref_name }}" + docker push "homebrew/ubuntu22.04:${{ github.ref_name }}" + + - name: Generate Docker image digest + if: github.ref == 'refs/heads/master' + id: digest + run: | + digest="$(docker image inspect --format='{{.Digest}}' brew)" + echo "digest=$digest" >> "$GITHUB_OUTPUT" + + - name: Generate Docker image build provenance + uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0 # v1.3.3 + if: github.ref == 'refs/heads/master' + id: attest + with: + push-to-registry: true + subject-digest: ${{ steps.digest.outputs.digest }} + subject-name: ghcr.io/homebrew/ubuntu22.04:${{ github.ref_name }} update-test: name: ${{ matrix.name }}