From 0ed11eb495817464939f17b0b0702a5250585fc5 Mon Sep 17 00:00:00 2001
From: stack72 <public@paulstack.co.uk>
Date: Thu, 26 Mar 2026 19:39:51 +0100
Subject: [PATCH] feat: add supply chain attestations to Docker image builds

Add SLSA provenance (mode=max) and SBOM generation to both amd64 and
arm64 Docker image builds. Add id-token:write permission so BuildKit
can request a GitHub OIDC token for signed provenance attestations.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f14876b1..f8189593 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -172,6 +172,7 @@ jobs:
     needs: release
     permissions:
       contents: read
+      id-token: write
 
     steps:
       - name: Checkout code
@@ -218,6 +219,8 @@ jobs:
           platforms: linux/amd64
           push: true
           tags: systeminit/swamp:${{ env.docker_tag }}-amd64
+          provenance: mode=max
+          sbom: true
 
       - name: Build and push (arm64)
         uses: docker/build-push-action@v6
@@ -226,6 +229,8 @@ jobs:
           platforms: linux/arm64
           push: true
           tags: systeminit/swamp:${{ env.docker_tag }}-arm64
+          provenance: mode=max
+          sbom: true
 
       - name: Create and push multi-arch manifest
         run: |