chore: streamline Docker workflow with attestation support

Updated GitHub Actions workflow based on kit.pivoine.art template: Permissions: - Added id-token: write (required for attestations) - Added attestations: write (enables build provenance) Improvements: - Added workflow_dispatch trigger for manual runs - Updated docker/build-push-action from v5 to v6 - Added conditional login (skip on pull requests) - Added artifact attestation step with actions/attest-build-provenance@v2 - Generates and pushes build provenance to registry - Provides supply chain security and transparency Attestation benefits: - Verifiable build provenance - SLSA (Supply chain Levels for Software Artifacts) compliance - Cryptographically signed metadata about build process - Helps users verify image authenticity The workflow now matches modern Docker image publishing best practices with full attestation support for enhanced security. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-08 11:03:49 +01:00
parent 08026893d3
commit f2d2bd7e25
1 changed files with 14 additions and 4 deletions
--- a/.github/workflows/docker-build-push.yml
+++ b/.github/workflows/docker-build-push.yml
@@ -9,6 +9,7 @@ on:
  pull_request:
    branches:
      - main
+  workflow_dispatch:

 env:
  REGISTRY: ghcr.io
@@ -20,6 +21,8 @@ jobs:
    permissions:
      contents: read
      packages: write
+      id-token: write
+      attestations: write

    steps:
      - name: Checkout repository
@@ -28,7 +31,8 @@ jobs:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

-      - name: Log in to GitHub Container Registry
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
@@ -50,7 +54,8 @@ jobs:
            type=raw,value=latest,enable={{is_default_branch}}

      - name: Build and push Docker image
-        uses: docker/build-push-action@v5
+        id: build-and-push
+        uses: docker/build-push-action@v6
        with:
          context: .
          push: ${{ github.event_name != 'pull_request' }}
@@ -60,5 +65,10 @@ jobs:
          cache-to: type=gha,mode=max
          platforms: linux/amd64,linux/arm64

-      - name: Image digest
-        run: echo ${{ steps.meta.outputs.digest }}
+      - name: Generate artifact attestation
+        if: github.event_name != 'pull_request'
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.build-and-push.outputs.digest }}
+          push-to-registry: true