Skip to content

Commit

Permalink
feat: attest image, verify base image
Browse files Browse the repository at this point in the history
Signed-off-by: K.B.Dharun Krishna <[email protected]>
  • Loading branch information
kbdharun committed Jul 1, 2024
1 parent 8827b77 commit 0a04fd6
Showing 1 changed file with 22 additions and 2 deletions.
24 changes: 22 additions & 2 deletions .github/workflows/vib-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,19 @@ permissions:
packages: write # Allow pushing images to GHCR

jobs:
verify-image:
runs-on: ubuntu-latest

steps:
- name: Verify Base Image Integrity
run:
gh attestation verify oci://ghcr.io/vanilla-os/pico:main --owner Vanilla-OS
env:
GH_TOKEN: ${{ github.token }}

build:
runs-on: ubuntu-latest
needs: verify-image

steps:
- uses: actions/checkout@v4
Expand All @@ -34,14 +45,14 @@ jobs:
run: |
REPO_OWNER_LOWERCASE="$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')"
echo "REPO_OWNER_LOWERCASE=$REPO_OWNER_LOWERCASE" >> "$GITHUB_ENV"
echo "IMAGE_NAME=ghcr.io/$REPO_OWNER_LOWERCASE/vso" >> "$GITHUB_ENV"
echo "IMAGE_URL=ghcr.io/$REPO_OWNER_LOWERCASE/vso" >> "$GITHUB_ENV"
- name: Docker meta
id: docker_meta
uses: docker/metadata-action@v5
with:
images: |
${{ env. IMAGE_NAME }}
${{ env. IMAGE_URL }}
tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
Expand Down Expand Up @@ -73,3 +84,12 @@ jobs:
cache-to: type=gha,mode=max
platforms: linux/amd64
provenance: false

- name: Attest pushed image
uses: actions/attest-build-provenance@v1
id: attest
if: ${{ github.event_name != 'pull_request' }}
with:
subject-name: ${{ env.IMAGE_URL }}
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: false

0 comments on commit 0a04fd6

Please sign in to comment.