From 8a0fab5a3e113d9afe63c06e7d58678fc1e23348 Mon Sep 17 00:00:00 2001
From: Miguel Piedrafita <github@miguel.build>
Date: Tue, 8 Oct 2024 22:27:57 +0100
Subject: [PATCH] Attest docker image

---
 .github/workflows/release.yml | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8925879..59afccd 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,16 +4,14 @@ on:
     tags: ["v*.*.*"]
     branches: ["main"]
 
-env:
-  REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository }}
-
 jobs:
   build:
     runs-on: ubuntu-latest
     permissions:
       contents: read
+      id-token: write
       packages: write
+      attestations: write
 
     steps:
       - name: Checkout repository
@@ -23,7 +21,7 @@ jobs:
         id: meta
         uses: docker/metadata-action@v4
         with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          images: ghcr.io/${{ github.repository }}
           tags: |
             # set latest tag for default branch
             type=raw,value=latest,enable={{is_default_branch}}
@@ -46,3 +44,11 @@ jobs:
           file: ./Dockerfile
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Attest
+        id: attest
+        uses: actions/attest-build-provenance@v1
+        with:
+          push-to-registry: true
+          subject-name: ghcr.io/${{ github.repository }}
+          subject-digest: ${{ steps.docker_build.outputs.digest }}