From 15d7ef283e29622d874ae524b3efa621bf5fc7ac Mon Sep 17 00:00:00 2001
From: Chris Gianelloni <wolf31o2@blinklabs.io>
Date: Fri, 13 Dec 2024 13:59:47 -0500
Subject: [PATCH] ci: attestations for binaries and images

Signed-off-by: Chris Gianelloni <wolf31o2@blinklabs.io>
---
 .github/workflows/ci-docker.yml |  2 ++
 .github/workflows/publish.yml   | 37 ++++++++++++++++++++++++++++++++-
 2 files changed, 38 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci-docker.yml b/.github/workflows/ci-docker.yml
index 4aa5416..e97882c 100644
--- a/.github/workflows/ci-docker.yml
+++ b/.github/workflows/ci-docker.yml
@@ -13,6 +13,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          fetch-depth: '0'
       - name: qemu
         uses: docker/setup-qemu-action@v3
       - uses: docker/setup-buildx-action@v3
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 9a20f70..9d41ba9 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -45,9 +45,19 @@ jobs:
         arch: [amd64, arm64]
     runs-on: ubuntu-latest
     needs: [create-draft-release]
+    permissions:
+      actions: write
+      attestations: write
+      checks: write
+      contents: write
+      id-token: write
+      packages: write
+      statuses: write
     steps:
       - run: "echo \"RELEASE_TAG=${GITHUB_REF#refs/tags/}\" >> $GITHUB_ENV"
       - uses: actions/checkout@v4
+        with:
+          fetch-depth: '0'
       - uses: actions/setup-go@v5
         with:
           go-version: 1.22.x
@@ -60,16 +70,28 @@ jobs:
           if [[ ${{ matrix.os }} == windows ]]; then
             _filename=${_filename}.exe
           fi
-          mv bursa ${_filename}
+          cp bursa ${_filename}
           curl \
             -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
             -H "Content-Type: application/octet-stream" \
             --data-binary @${_filename} \
             https://uploads.github.com/repos/${{ github.repository_owner }}/bursa/releases/${{ needs.create-draft-release.outputs.RELEASE_ID }}/assets?name=${_filename}
+      - name: Attest binary
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: 'bursa'
 
   build-images:
     runs-on: ubuntu-latest
     needs: [create-draft-release]
+    permissions:
+      actions: write
+      attestations: write
+      checks: write
+      contents: write
+      id-token: write
+      packages: write
+      statuses: write
     steps:
       - run: "echo \"RELEASE_TAG=${GITHUB_REF#refs/tags/}\" >> $GITHUB_ENV"
       - uses: actions/checkout@v4
@@ -103,11 +125,24 @@ jobs:
             type=semver,pattern={{version}}
       - name: Build images
         uses: docker/build-push-action@v6
+        id: push
         with:
           outputs: "type=registry,push=true"
           platforms: linux/amd64,linux/arm64
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+      - name: Attest Docker Hub image
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: index.docker.io/blinklabs/bursa
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
+      - name: Attest GHCR image
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ghcr.io/${{ github.repository }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
       # Update Docker Hub from README
       - name: Docker Hub Description
         uses: peter-evans/dockerhub-description@v4