Merge pull request #18 from step-security/docker-prov

Sign the docker image

Author: varunsh-coder

.github/workflows/actions_release.yml

@@ -0,0 +1,21 @@
+name: Release GitHub Actions
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Tag for the release"
+        required: true
+
+permissions:
+  contents: read
+
+jobs:
+  release:
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    uses: step-security/reusable-workflows/.github/workflows/actions_release.yaml@v1
+    with:
+      tag: "${{ github.event.inputs.tag }}"

.github/workflows/ci-cd.yml

@@ -93,10 +93,12 @@ jobs:
         env:
           DOCKER_CLI_EXPERIMENTAL: enabled
         run: |
+          exists='false'
           if docker manifest inspect '${{ steps.action.outputs.image }}'
           then
-            echo "exists=true" >>$GITHUB_OUTPUT
+            exists='true'
           fi
+          echo "exists=$exists" >>$GITHUB_OUTPUT
         shell: bash
 
   deploy:
@@ -108,6 +110,10 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       packages: write
+    outputs:
+      image: ${{ steps.image.outputs.image }}
+      digest: ${{ steps.build.outputs.digest }}
+      should_push: ${{ steps.check_conditions.outputs.should_push }}
     steps:
       - name: Docker meta
         id: docker-meta
@@ -137,23 +143,52 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Check Conditions
+        id: check_conditions
+        run: |
+          should_push_value='false'
+          if [[ '${{ github.event_name }}' == 'push' ]]; then
+            if [[ ${{ startsWith(github.ref, 'refs/heads/main') }} && '${{ needs.config-deploy.outputs.image-exists }}' != 'true' ]]; then
+              should_push_value='true'
+            fi
+          fi
+          echo "should_push=$should_push_value" >> "$GITHUB_OUTPUT"
+
+
       - name: Build and push Docker image
         uses: docker/build-push-action@v4
+        id: build
         with:
           tags: ${{ steps.docker-meta.outputs.tags }}
           labels: ${{ steps.docker-meta.outputs.labels }}
           platforms: linux/amd64,linux/arm64
           pull: true
           # deploy image actions from commits pushed to main and
           # deploy Dockerfile actions from pushed version tags (no major versions)
-          push: |
-            ${{
-              github.event_name == 'push' && (
-                needs.config-deploy.outputs.image != 'Dockerfile' && startsWith(github.ref, 'refs/heads/main') && needs.config-deploy.outputs.image-exists != 'true' ||
-                needs.config-deploy.outputs.image == 'Dockerfile' && startsWith(github.ref, 'refs/tags/v') && contains(github.ref, '.')
-              )
-            }}
-
+          push: ${{ steps.check_conditions.outputs.should_push }}
+      - name: Output image
+        id: image
+        run: |
+          # NOTE: Set the image as an output because the `env` context is not
+          # available to the inputs of a reusable workflow call.
+          image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}"
+          echo "image=$image_name" >> "$GITHUB_OUTPUT"
+  
+  provenance:
+    needs: [deploy]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    if: ${{ needs.deploy.outputs.should_push == 'true' }}
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
+    with:
+      image: ${{ needs.deploy.outputs.image }}
+      digest: ${{ needs.deploy.outputs.digest }}
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}        
+  
   event_file:
     name: "Event File"
     runs-on: ubuntu-latest

.github/workflows/release.yml

@@ -143,7 +143,7 @@ outputs:
 
 runs:
   using: 'docker'
-  image: 'docker://ghcr.io/step-security/publish-unit-test-result-action:v1.0.1'
+  image: 'docker://ghcr.io/step-security/publish-unit-test-result-action:v1.0.2'
 
 branding:
   icon: 'check-square'

action.yml

@@ -11,7 +11,7 @@
     UnitTestRunDeltaResults, UnitTestRunResultsOrDeltaResults, ParseError
 
 # keep the version in sync with action.yml
-__version__ = 'v1.0.1'
+__version__ = 'v1.0.2'
 
 logger = logging.getLogger('publish')
 digest_prefix = '[test-results]:data:'