Adding an attestation of provenance for image entrypoint gorel

Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
ThalesGroup · Nov 14, 2024 · a7bd374 · a7bd374
1 parent 943dd56
commit a7bd374
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/.github/workflows/base-container-build.yaml b/.github/workflows/base-container-build.yaml
@@ -106,6 +106,7 @@ jobs:
     outputs:
       oci-image-digest: ${{ steps.kaniko.outputs.digest }}
 
+  # Job to build a SLSA provenance attestation
   base-image-provenance:
     name: Generate SLSA provenance attestation for OCI
     needs: build-base-image  # Ensure this job runs after build-base-image
@@ -190,6 +191,7 @@ jobs:
 
       - name: Build the OCI image
         uses: int128/kaniko-action@v1
+        id: kaniko
         with:
           push: true
           tags: ${{ steps.metadata.outputs.tags }}
@@ -199,3 +201,22 @@ jobs:
           file: ${{ env.GOREL_ENTRYP_CONTAINERFILE_NAME }}
           context: ${{ env.KANIKO_BUILD_CONTEXT }}
           verbosity: "info"  # https://github.com/GoogleContainerTools/kaniko#flag---verbosity
+
+    outputs:
+      oci-image-digest: ${{ steps.kaniko.outputs.digest }}
+
+  goreleaser-entryp-image-provenance:
+    name: Generate SLSA provenance attestation for OCI
+    needs: build-goreleaser-entryp-image  # Ensure this job runs after build-base-image
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing. Required for SLSA and Cosign
+      packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
+      # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2
+    with:
+      image: ghcr.io/${{ github.repository }}
+      digest: ${{ needs.build-goreleaser-entryp-image.outputs.oci-image-digest }}
+    secrets:
+      registry-username: ${{ github.actor }}
+      registry-password: ${{ secrets.GITHUB_TOKEN }}