diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml index 99d7530550..807137b98f 100644 --- a/.github/workflows/artifacts.yaml +++ b/.github/workflows/artifacts.yaml @@ -39,11 +39,13 @@ jobs: - distroless permissions: + attestations: write contents: read packages: write id-token: write security-events: write + outputs: name: ${{ steps.image-name.outputs.value }} digest: ${{ steps.build.outputs.digest }} @@ -175,6 +177,19 @@ jobs: # path: sbom-spdx.json # retention-days: 5 + # TODO: uncomment when the action is working for non ghcr.io pushes. GH Issue: https://github.com/actions/attest-build-provenance/issues/80 + # - uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2 + # with: + # subject-name: dexidp/dex + # subject-digest: ${{ steps.build.outputs.digest }} + # push-to-registry: true + + - uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2 + with: + subject-name: ghcr.io/dexidp/dex + subject-digest: ${{ steps.build.outputs.digest }} + push-to-registry: true + - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # 0.20.0 with: diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 3fd00f6619..946d0e47cb 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -159,6 +159,7 @@ jobs: DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} permissions: + attestations: write contents: read packages: write id-token: write diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index f4c1ea027b..dbf397cbbe 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -17,6 +17,7 @@ jobs: DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} permissions: + attestations: write contents: read packages: write id-token: write