From acf09b523b5c0cd1f663859e1b83a1cd09489ade Mon Sep 17 00:00:00 2001
From: Sylvain Rabot <sylvain@abstraction.fr>
Date: Sun, 7 Jul 2024 18:43:17 +0200
Subject: [PATCH] Generate attestation for gerenated docker image

Signed-off-by: Sylvain Rabot <sylvain@abstraction.fr>
---
 .dockerignore                  |  3 +++
 .github/workflows/release.yaml | 10 ++++++++++
 .gitignore                     |  1 +
 Makefile                       |  1 +
 4 files changed, 15 insertions(+)
 create mode 100644 .dockerignore

diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..47a21f2
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,3 @@
+dist
+.go-build-flags
+.buildx-metadata.json
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 50a3b1a..14057ad 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -79,5 +79,15 @@ jobs:
       run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
 
     - name: Build and push docker image
+      id: docker-build
       run: |
         make docker-buildx-push
+        jq -r '."image.name" | split(":"; null)[0] | ("image="+.)' < .buildx-metadata.json >> "$GITHUB_OUTPUT"
+        jq -r '."containerimage.digest" | ("digest="+.)' < .buildx-metadata.json >> "$GITHUB_OUTPUT"
+
+    - uses: actions/attest-build-provenance@v1
+      with:
+        subject-name: ${{ steps.docker-build.outputs.image }}
+        subject-digest: ${{ steps.docker-build.outputs.digest }}
+        push-to-registry: true
+
diff --git a/.gitignore b/.gitignore
index df635fc..b455a24 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@ dist
 .vscode
 .go-build-flags
 go.work*
+.buildx-metadata.json
diff --git a/Makefile b/Makefile
index 3d5dfce..a194736 100644
--- a/Makefile
+++ b/Makefile
@@ -111,6 +111,7 @@ DOCKER_BUILD_LABELS     += --label org.opencontainers.image.revision=$(GIT_REVIS
 DOCKER_BUILD_LABELS     += --label org.opencontainers.image.version=$(GIT_VERSION)
 DOCKER_BUILD_LABELS     += --label org.opencontainers.image.created=$(shell date -u +'%Y-%m-%dT%H:%M:%SZ')
 DOCKER_BUILD_BUILD_ARGS ?= --build-arg=GO_VERSION=$(DOCKER_BUILD_GO_VERSION)
+DOCKER_BUILD_BUILD_ARGS += --metadata-file=.buildx-metadata.json
 DOCKER_BUILDX_PLATFORMS ?= linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6
 
 ifeq ($(CI),true)