ci: add build attestations for container images

When building the kas container with the github ci, we now also create
and upload verifiable build attestations. By that, users can use tools
like cosign to verify the origin of the kas container images. In
addition, the attestations can be viewed in the github UI.

Signed-off-by: Felix Moessbauer <[email protected]>
Signed-off-by: Jan Kiszka <[email protected]>

.github/workflows/master.yml

@@ -9,6 +9,11 @@ jobs:
   deploy_containers:
     name: Build and deploy container images
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+      attestations: write
     strategy:
       matrix:
         image-name: ["kas", "kas-isar"]
@@ -35,6 +40,7 @@ jobs:
       - name: Build ${{ matrix.image-name }} image
         uses: docker/build-push-action@v5
         if: ${{ env.PUSH_MASTER == 'true' }}
+        id: push
         with:
           context: /home/runner/kas-clone
           target: ${{ matrix.image-name }}
@@ -46,3 +52,9 @@ jobs:
           outputs: type=registry,rewrite-timestamp=true
           tags: ghcr.io/${{ github.repository }}/${{ matrix.image-name }}
           annotations: ${{ env.DOCKER_METADATA_OUTPUT_ANNOTATIONS }}
+      - name: Attest ${{ matrix.image-name }} image
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ghcr.io/${{ github.repository }}/${{ matrix.image-name }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true

.github/workflows/next.yml

@@ -65,6 +65,11 @@ jobs:
     name: Build, test and deploy container images
     needs: perform_tests
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+      attestations: write
     strategy:
       matrix:
         image-name: ["kas", "kas-isar"]
@@ -96,6 +101,7 @@ jobs:
           ../../kas-container build kas.yml
       - name: Complete build and deploy ${{ matrix.image-name }} image
         uses: docker/build-push-action@v5
+        id: push
         with:
           context: /home/runner/kas-clone
           target: ${{ matrix.image-name }}
@@ -107,3 +113,9 @@ jobs:
           outputs: type=registry,rewrite-timestamp=true
           tags: ghcr.io/${{ github.repository }}/${{ matrix.image-name }}:next
           annotations: ${{ env.DOCKER_METADATA_OUTPUT_ANNOTATIONS }}
+      - name: Attest ${{ matrix.image-name }} image
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ghcr.io/${{ github.repository }}/${{ matrix.image-name }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true

.github/workflows/release.yml

@@ -9,6 +9,11 @@ jobs:
   deploy_containers:
     name: Build and deploy container images
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+      attestations: write
     strategy:
       matrix:
         image-name: ["kas", "kas-isar"]
@@ -25,6 +30,7 @@ jobs:
           image-name: ${{ matrix.image-name }}
       - name: Build ${{ matrix.image-name }} image
         uses: docker/build-push-action@v5
+        id: push
         with:
           context: /home/runner/kas-clone
           target: ${{ matrix.image-name }}
@@ -39,3 +45,9 @@ jobs:
             ghcr.io/${{ github.repository }}/${{ matrix.image-name }}:${{ env.RELEASE_VERSION }}
             ghcr.io/${{ github.repository }}/${{ matrix.image-name }}:latest-release
           annotations: ${{ env.DOCKER_METADATA_OUTPUT_ANNOTATIONS }}
+      - name: Attest ${{ matrix.image-name }} image
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ghcr.io/${{ github.repository }}/${{ matrix.image-name }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true