diff --git a/.github/workflows/publish-docker-image.yml b/.github/workflows/publish-docker-image.yml index 3b12ddd8..0abb4938 100644 --- a/.github/workflows/publish-docker-image.yml +++ b/.github/workflows/publish-docker-image.yml @@ -10,11 +10,16 @@ on: env: REGISTRY: ghcr.io - IMAGE_NAME: ${{ github.repository }} + IMAGE_NAME: ${{ env.REGISTRY }}/${{ github.repository }} jobs: build: runs-on: ubuntu-latest + permissions: + contents: read + packages: write + attestations: write + id-token: write steps: - uses: actions/checkout@v3 - uses: actions/setup-java@v4 @@ -22,26 +27,25 @@ jobs: distribution: 'temurin' java-version: '11' cache: 'sbt' - - - name: Build tarballs for Docker - run: sbt --mem 4096 --batch buildTarballsForDocker - + - run: sbt --mem 4096 --batch buildTarballsForDocker - uses: docker/login-action@v3 with: - registry: ghcr.io + registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - uses: docker/setup-buildx-action@v3 - - id: meta - uses: docker/metadata-action@v5 + - uses: docker/metadata-action@v5 + id: meta with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + images: ${{ env.IMAGE_NAME }} flavor: latest=false + tags: type=raw,value=${{ inputs.dockerTag }} labels: | org.opencontainers.image.source=https://github.com/${{ github.repository }} org.opencontainers.image.licenses=MIT org.opencontainers.image.description="Unit Zero Node" - uses: docker/build-push-action@v5 + id: push with: context: ./docker platforms: linux/amd64,linux/arm64 @@ -49,3 +53,8 @@ jobs: pull: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + - uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ env.IMAGE_NAME}} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true