feat(ci): generate and push build provenance attestations

Use GitHub's support to generate attestations for the provenance of our builds. This will allow users to verify our images and trace them back to a CI run, for example using `gh attestation verify`.
grafana · Nov 7, 2024 · 6fb818e · 6fb818e
1 parent 23c0d91
commit 6fb818e
Showing 1 changed file with 18 additions and 6 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -28,36 +28,48 @@ on:
 jobs:
   main:
     runs-on: ubuntu-latest
+    env:
+      REGISTRY: ghcr.io
+      IMAGE: grafana/generate-policy-bot-config
+      PUSH_IMAGE: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - name: Set Docker Buildx up
-        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
-
       - name: Log into GHCR
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
-          registry: ghcr.io
+          registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ github.token }}
 
       - name: Calculate image metadata
         id: calculate-metadata
         uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
         with:
-          images: ghcr.io/grafana/generate-policy-bot-config
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE }}
           tags: |
             # tag with branch name for `main`
             type=ref,event=branch,enable={{is_default_branch}}
             # tag with semver, and `latest`
             type=ref,event=tag
+            # tag with pr-<number>-<sha>
+            type=ref,suffix=-{{sha}},event=pr
 
       - name: Build and push
+        id: build
         uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
         with:
           labels: ${{ steps.calculate-metadata.outputs.labels }}
           platforms: linux/amd64,linux/arm64
-          push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+          push: ${{ env.PUSH_IMAGE }}
           sbom: true
           tags: ${{ steps.calculate-metadata.outputs.tags }}
+
+      - name: Generate build provenance attestation
+        uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE }}
+          subject-digest: ${{ steps.build.outputs.digest }}
+          push-to-registry: ${{ env.PUSH_IMAGE }}