Merge pull request #717 from Automattic/add/provenance-attestation

ci: attest build provenance for Docker images

.github/actions/build-docker-image/action.yml

@@ -64,6 +64,7 @@ runs:
 
     - name: Build and push container image
       uses: docker/build-push-action@v5
+      id: push
       with:
         context: ${{ inputs.context }}
         file: ${{ inputs.file }}
@@ -77,6 +78,19 @@ runs:
         cache-to: ${{ inputs.cache-to }}
         no-cache: ${{ inputs.no-cache }}
 
+    - name: Get image name
+      shell: bash
+      id: imagename
+      run: echo "image_name=$(echo "${{ inputs.primaryTag }}" | cut -d ':' -f 1)" >> "${GITHUB_OUTPUT}"
+
+    - name: Attest
+      uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0
+      with:
+        subject-name: ${{ steps.imagename.outputs.image_name }}
+        subject-digest: ${{ steps.push.outputs.digest }}
+        push-to-registry: false
+      if: inputs.push == 'true'
+
     - name: Load image to local Docker
       uses: docker/build-push-action@v5
       with:

.github/workflows/alpine.yml

@@ -31,6 +31,8 @@ jobs:
       contents: read
       pull-requests: write
       security-events: write
+      id-token: write
+      attestations: write
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4

.github/workflows/build-skeleton.yml

@@ -17,6 +17,8 @@ jobs:
       packages: write
       contents: read
       security-events: write
+      id-token: write
+      attestations: write
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4

.github/workflows/dev-tools.yml

@@ -31,6 +31,8 @@ jobs:
       contents: read
       pull-requests: write
       security-events: write
+      id-token: write
+      attestations: write
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4

.github/workflows/mu-plugins.yml

@@ -34,6 +34,8 @@ jobs:
       contents: read
       pull-requests: write
       security-events: write
+      id-token: write
+      attestations: write
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4

.github/workflows/nginx.yml

@@ -31,6 +31,8 @@ jobs:
       contents: read
       pull-requests: write
       security-events: write
+      id-token: write
+      attestations: write
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4

.github/workflows/photon.yml

@@ -31,6 +31,8 @@ jobs:
       contents: read
       pull-requests: write
       security-events: write
+      id-token: write
+      attestations: write
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4

.github/workflows/php-fpm.yml

@@ -31,6 +31,8 @@ jobs:
       contents: read
       pull-requests: write
       security-events: write
+      id-token: write
+      attestations: write
     strategy:
       fail-fast: false
       matrix:

.github/workflows/skeleton.yml

@@ -31,6 +31,8 @@ jobs:
       contents: read
       pull-requests: write
       security-events: write
+      id-token: write
+      attestations: write
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4

.github/workflows/traefik.yml

@@ -31,6 +31,8 @@ jobs:
       contents: read
       pull-requests: write
       security-events: write
+      id-token: write
+      attestations: write
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4

.github/workflows/wordpress.yml

@@ -48,6 +48,8 @@ jobs:
       packages: write
       pull-requests: write
       security-events: write
+      id-token: write
+      attestations: write
     strategy:
       fail-fast: false
       matrix: