From 8ecdad511d2216d551d098a80b26c64cfee914b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bastian=20Echterh=C3=B6lter?= Date: Sat, 11 Apr 2026 12:13:52 +0200 Subject: [PATCH 1/2] feat(ci): add SLSA build provenance attestation to Docker image builds MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add actions/attest-build-provenance step to the shared Docker build workflow, producing SLSA-compatible provenance for all container images pushed to GHCR. Uses continue-on-error since caller workflows need to add attestations:write permission to fully enable this. Ref: platform-mesh/backlog#229 Signed-off-by: Bastian Echterhölter On-behalf-of: @SAP --- .github/workflows/job-docker-build-push.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/job-docker-build-push.yml b/.github/workflows/job-docker-build-push.yml index bede7b68..59818fb6 100644 --- a/.github/workflows/job-docker-build-push.yml +++ b/.github/workflows/job-docker-build-push.yml @@ -25,6 +25,7 @@ jobs: contents: write packages: write id-token: write + attestations: write steps: - name: Login to GitHub Container Registry uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4 @@ -52,6 +53,14 @@ jobs: - name: Sign container image if: ${{ (github.head_ref || github.ref) == format('refs/heads/{0}',inputs.release_branch) }} run: cosign sign --yes ${{ inputs.imageTagName }}@${{ steps.build.outputs.digest }} + - name: Attest build provenance + if: ${{ (github.head_ref || github.ref) == format('refs/heads/{0}',inputs.release_branch) }} + continue-on-error: true # Requires 'attestations: write' in caller workflow permissions + uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4 + with: + subject-name: ${{ inputs.imageTagName }} + subject-digest: ${{ steps.build.outputs.digest }} + push-to-registry: true - name: Create Release if: ${{ (github.head_ref || github.ref) == format('refs/heads/{0}',inputs.release_branch) }} uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0 From b3b858c245c2f3a83c87a2acdce119da13c4b7f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bastian=20Echterh=C3=B6lter?= Date: Sat, 11 Apr 2026 12:20:52 +0200 Subject: [PATCH 2/2] chore: remove continue-on-error from attestation step MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Caller workflows will have attestations:write before this lands. Signed-off-by: Bastian Echterhölter On-behalf-of: @SAP --- .github/workflows/job-docker-build-push.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/job-docker-build-push.yml b/.github/workflows/job-docker-build-push.yml index 59818fb6..5c524b31 100644 --- a/.github/workflows/job-docker-build-push.yml +++ b/.github/workflows/job-docker-build-push.yml @@ -55,7 +55,6 @@ jobs: run: cosign sign --yes ${{ inputs.imageTagName }}@${{ steps.build.outputs.digest }} - name: Attest build provenance if: ${{ (github.head_ref || github.ref) == format('refs/heads/{0}',inputs.release_branch) }} - continue-on-error: true # Requires 'attestations: write' in caller workflow permissions uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4 with: subject-name: ${{ inputs.imageTagName }}