From 9fd4c743b8b4f27d34ba81d5538b7de9b8900b45 Mon Sep 17 00:00:00 2001
From: cpanato <ctadeu@gmail.com>
Date: Mon, 27 May 2024 11:08:15 +0200
Subject: [PATCH] add provanance

Signed-off-by: cpanato <ctadeu@gmail.com>
---
 .github/workflows/artifacts.yaml | 18 ++++++++++++++++++
 .github/workflows/ci.yaml        |  1 +
 .github/workflows/release.yaml   |  1 +
 3 files changed, 20 insertions(+)

diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml
index 99d75305..3354b104 100644
--- a/.github/workflows/artifacts.yaml
+++ b/.github/workflows/artifacts.yaml
@@ -39,11 +39,13 @@ jobs:
           - distroless
 
     permissions:
+      attestations: write
       contents: read
       packages: write
       id-token: write
       security-events: write
 
+
     outputs:
       name: ${{ steps.image-name.outputs.value }}
       digest: ${{ steps.build.outputs.digest }}
@@ -175,6 +177,22 @@ jobs:
       #     path: sbom-spdx.json
       #     retention-days: 5
 
+      # TODO: uncomment when the action is working for non ghcr.io pushes. GH Issue: https://github.com/actions/attest-build-provenance/issues/80
+      # - name: Generate build provenance attestation
+      #   uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
+      #   with:
+      #     subject-name: dexidp/dex
+      #     subject-digest: ${{ steps.build.outputs.digest }}
+      #     push-to-registry: true
+
+      - name: Generate build provenance attestation
+        uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
+        with:
+          subject-name: ghcr.io/dexidp/dex
+          subject-digest: ${{ steps.build.outputs.digest }}
+          push-to-registry: true
+        if: inputs.publish
+
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # 0.20.0
         with:
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 3fd00f66..946d0e47 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -159,6 +159,7 @@ jobs:
       DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
       DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
     permissions:
+      attestations: write
       contents: read
       packages: write
       id-token: write
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index f4c1ea02..dbf397cb 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -17,6 +17,7 @@ jobs:
       DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
       DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
     permissions:
+      attestations: write
       contents: read
       packages: write
       id-token: write