diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml index fa892287f4..02f0f2dcec 100644 --- a/.github/workflows/atlantis-image.yml +++ b/.github/workflows/atlantis-image.yml @@ -45,6 +45,11 @@ jobs: needs: [changes] if: needs.changes.outputs.should-run-build == 'true' name: Build Image + permissions: + contents: read + id-token: write + packages: write + attestations: write strategy: matrix: image_type: [alpine, debian] @@ -129,6 +134,7 @@ jobs: run: echo "RELEASE_VERSION=${{ startsWith(github.ref, 'refs/tags/') && '${GITHUB_REF#refs/*/}' || 'dev' }}" >> $GITHUB_ENV - name: "Build ${{ env.PUSH == 'true' && 'and push' || '' }} ${{ env.DOCKER_REPO }} image" + id: build if: contains(fromJson('["push", "pull_request"]'), github.event_name) uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6 with: @@ -147,6 +153,14 @@ jobs: labels: ${{ steps.meta.outputs.labels }} outputs: type=image,name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }} + - name: "Sign and Attest Image" + if: env.PUSH == 'true' + uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 + with: + subject-digest: ${{ steps.build.outputs.digest }} + subject-name: ghcr.io/${{ github.repository }} + push-to-registry: true + test: needs: [changes] if: needs.changes.outputs.should-run-build == 'true' @@ -201,4 +215,4 @@ jobs: image_type: [alpine, debian] runs-on: ubuntu-24.04 steps: - - run: 'echo "No build required"' + - run: 'echo "No build required"' \ No newline at end of file