build: Add SLSA Provenance Attestation

Signed-off-by: Thomas Vitale <[email protected]>
ThomasVitale · May 16, 2024 · 3e9852d · 3e9852d
1 parent 7977d3d
commit 3e9852d
Showing 1 changed file with 15 additions and 15 deletions.
diff --git a/.github/workflows/multi-arch-publish.yml b/.github/workflows/multi-arch-publish.yml
@@ -173,18 +173,18 @@ jobs:
 
       - name: Sign image
         run: |
-          cosign sign --yes "${REGISTRY}/${IMAGE}@${IMAGE_DIGEST}"
-
-  # provenance:
-  #   needs: [merge]
-  #   permissions:
-  #     actions: read
-  #     id-token: write
-  #     packages: write
-  #   uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
-  #   with:
-  #     image: ${{ needs.build.outputs.image-name }}
-  #     digest: ${{ needs.build.outputs.image-digest }}
-  #     registry-username: ${{ github.actor }}
-  #   secrets:
-  #     registry-password: ${{ secrets.push-token }}
+          cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ IMAGE_DIGEST }}
+
+  provenance:
+    needs: [merge]
+    permissions:
+      actions: read
+      id-token: write
+      packages: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      image: ${{ needs.build.outputs.image-name }}
+      digest: ${{ needs.build.outputs.image-digest }}
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.push-token }}