From d6f21d26114674e5098715e7c042f7f3f0be4ffe Mon Sep 17 00:00:00 2001
From: Frank Elsinga <frank@elsinga.de>
Date: Thu, 16 May 2024 17:19:11 +0200
Subject: [PATCH] tested if `actions/attest-build-provenance` does require the
 tag to push to the registry

---
 .github/workflows/_docker-build.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/_docker-build.yml b/.github/workflows/_docker-build.yml
index 5c809ae27..7e7d7b2af 100644
--- a/.github/workflows/_docker-build.yml
+++ b/.github/workflows/_docker-build.yml
@@ -64,9 +64,10 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=min
       - name: Attest
+        if: github.ref == 'refs/heads/main'
         uses: actions/attest-build-provenance@v1
         id: attest
         with:
-          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:main
           subject-digest: ${{ steps.push.outputs.digest }}
           push-to-registry: true