44 push :
55 tags : ["v*"]
66
7- permissions :
8- contents : write
9- packages : write
10-
117jobs :
128 build :
139 name : Build binaries
1410 runs-on : ubuntu-latest
11+ permissions :
12+ contents : read
1513 strategy :
14+ fail-fast : false
1615 matrix :
17- goos : [linux]
18- goarch : [amd64, arm64]
16+ include :
17+ - goos : linux
18+ goarch : amd64
19+ - goos : linux
20+ goarch : arm64
21+ - goos : darwin
22+ goarch : amd64
23+ - goos : darwin
24+ goarch : arm64
1925 steps :
2026 - uses : actions/checkout@v6
2127
@@ -40,12 +46,54 @@ jobs:
4046 name : pebblify-${{ matrix.goos }}-${{ matrix.goarch }}
4147 path : pebblify-${{ matrix.goos }}-${{ matrix.goarch }}
4248
49+ attest-binaries :
50+ name : Attest binaries
51+ runs-on : ubuntu-latest
52+ needs : build
53+ permissions :
54+ id-token : write
55+ attestations : write
56+ contents : read
57+ steps :
58+ - uses : actions/download-artifact@v8
59+ with :
60+ path : artifacts
61+ pattern : pebblify-*
62+ merge-multiple : true
63+
64+ - name : Attest build provenance
65+ uses : actions/attest-build-provenance@v4
66+ with :
67+ subject-path : artifacts/pebblify-*
68+
69+ - name : Generate SBOM
70+ uses : anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
71+ with :
72+ path : artifacts/
73+ format : spdx-json
74+ output-file : sbom.spdx.json
75+
76+ - name : Attest SBOM
77+ uses : actions/attest-sbom@v4
78+ with :
79+ subject-path : artifacts/pebblify-*
80+ sbom-path : sbom.spdx.json
81+
4382 docker :
4483 name : Docker push
4584 runs-on : ubuntu-latest
85+ permissions :
86+ packages : write
87+ attestations : write
88+ id-token : write
89+ contents : read
4690 steps :
4791 - uses : actions/checkout@v6
4892
93+ - name : Lowercase repo
94+ id : repo
95+ run : echo "name=$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT"
96+
4997 - uses : docker/setup-qemu-action@v4
5098
5199 - uses : docker/setup-buildx-action@v4
63111 env :
64112 DOCKER_METADATA_ANNOTATIONS_LEVELS : manifest,index
65113 with :
66- images : ghcr.io/${{ github.repository }}
114+ images : ghcr.io/${{ steps.repo.outputs.name }}
67115 tags : |
68116 type=semver,pattern={{version}}
69117 type=semver,pattern={{major}}.{{minor}}
78126 org.opencontainers.image.base.name=alpine:3.22
79127
80128name : Build & push
129+ id : push
81130 uses : docker/build-push-action@v7
82131 with :
83132 context : .
@@ -91,10 +140,19 @@ jobs:
91140 labels : ${{ steps.meta.outputs.labels }}
92141 annotations : ${{ steps.meta.outputs.annotations }}
93142
143+ - name : Attest Docker image provenance
144+ uses : actions/attest-build-provenance@v4
145+ with :
146+ subject-name : ghcr.io/${{ steps.repo.outputs.name }}
147+ subject-digest : ${{ steps.push.outputs.digest }}
148+ push-to-registry : true
149+
94150 release :
95151 name : GitHub Release
96152 runs-on : ubuntu-latest
97- needs : [build, docker]
153+ needs : [build, attest-binaries]
154+ permissions :
155+ contents : write
98156 steps :
99157 - uses : actions/checkout@v6
100158 with :
0 commit comments