Add artifact attestation for GitHub Container Registry and update README for clarity

EvanDarwin · EvanDarwin · commit 2961d5e918d6 · 2025-04-19T01:58:49.000-07:00
diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml
@@ -104,6 +104,13 @@ jobs:
         subject-name: index.docker.io/${{ steps.image_names.outputs.dockerhub_image }}
         subject-digest: ${{ steps.push.outputs.digest }}
         push-to-registry: true
+        
+    - name: Generate artifact attestation for GitHub Container Registry
+      uses: actions/attest-build-provenance@v2
+      with:
+        subject-name: ghcr.io/${{ steps.image_names.outputs.ghcr_image }}
+        subject-digest: ${{ steps.push.outputs.digest }}
+        push-to-registry: true
 
     - name: Generate SBOM
       if: github.event_name != 'pull_request'
diff --git a/README.md b/README.md
@@ -10,10 +10,13 @@ A simple `alpine` docker image that includes the Lua runtime as well as [LuaRock
 - LuaRocks 3.11.1 package manager
 - Based on Alpine Linux for a minimal footprint
 - Container attestation and SBOM support
+- Available on both Docker Hub and GitHub Container Registry (ghcr.io)
 
 ## Available Tags
 
-Several version tags are available for flexibility:
+Several version tags are available for flexibility on both Docker Hub and GitHub Container Registry:
+
+### Docker Hub
 
 ### Lua 5.4.7 (Latest)
 - `evandarwin/lua:5.4.7` - Specific version
@@ -33,6 +36,16 @@ Several version tags are available for flexibility:
 - `evandarwin/lua:5.1.4` - Specific version
 - `evandarwin/lua:5.1` - Major.Minor version
 
+### GitHub Container Registry
+
+The same version tags are available on GitHub Container Registry with the `ghcr.io/evandarwin` prefix:
+
+### Lua 5.4.7 (Latest)
+- `ghcr.io/evandarwin/lua:5.4.7` - Specific version
+- `ghcr.io/evandarwin/lua:5.4` - Major.Minor version
+- `ghcr.io/evandarwin/lua:5` - Major version only
+- `ghcr.io/evandarwin/lua:latest` - Latest stable release
+
 We recommend using the specific version tag for production environments to ensure stability, while the less specific tags can be used for development or when you want to automatically get updates.
 
 ## Docker Image Security
@@ -42,20 +55,26 @@ This image includes supply chain security features:
 ### Attestations
 
 The image build process includes:
-- Docker provenance attestation
+- Docker provenance attestation (for both Docker Hub and GitHub Container Registry images)
 - Software Bill of Materials (SBOM)
 
 ## Usage
 
 ```bash
-# Pull a specific version
+# Pull a specific version from Docker Hub
 docker pull evandarwin/lua:5.4.7
 
 # Or use the major.minor version
 docker pull evandarwin/lua:5.4
 
+# From GitHub Container Registry
+docker pull ghcr.io/evandarwin/lua:5.4.7
+
 # Run a Lua command
 docker run -it evandarwin/lua:5.4.7 lua -e "print('Hello from Lua!')"
+
+# Or use the GitHub Container Registry version
+docker run -it ghcr.io/evandarwin/lua:5.4.7 lua -e "print('Hello from Lua!')"
 ```
 
 Have fun!
