Skip to content

Commit a3c538d

Browse files
authored
Merge the "enhancement/buildkit-attestations-max" branch into the "develop" branch
This merge updates `.github/workflows/deployment.yml` to grant the release workflow the permissions needed for signed BuildKit attestations and to switch the image build step from boolean provenance and SBOM flags to explicit `attests:` entries. The release build now requests `mode=max` provenance and SBOM attestations so published images carry the full attestation payload supported by BuildKit. In the top-level `permissions:` block, the workflow now adds `id-token: write` so the job can mint the OIDC token required for attestation signing. In the `Build and push (multi-registry, multi-platform)` step, `provenance: true` is replaced with `attests:` entry `type=provenance,mode=max`, and `sbom: true` is replaced with `attests:` entry `type=sbom,mode=max`, leaving the rest of the build configuration unchanged. No other files or workflow jobs are modified by this merge.
2 parents a85254b + 42ea033 commit a3c538d

1 file changed

Lines changed: 4 additions & 2 deletions

File tree

.github/workflows/deployment.yml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@ permissions:
3636
contents: read
3737
packages: write
3838
deployments: write
39+
id-token: write
3940

4041
# Global environment variables used across jobs.
4142
env:
@@ -121,8 +122,9 @@ jobs:
121122
platforms: linux/amd64,linux/arm64
122123
tags: ${{ steps.meta.outputs.tags }}
123124
labels: ${{ steps.meta.outputs.labels }}
124-
provenance: true
125-
sbom: true
125+
attests: |
126+
type=provenance,mode=max
127+
type=sbom,mode=max
126128
cache-from: type=gha
127129

128130
# Marking deployment as "success" if the workflow succeeds.

0 commit comments

Comments
 (0)