Attest container image

- Attest the container image. - Refactor container publishing to simplify workflow. - Remove redundant property.
martincostello · May 2, 2024 · 2cec5ea · 2cec5ea
1 parent d99de13
commit 2cec5ea
Show file tree

Hide file tree

Showing 5 changed files with 44 additions and 25 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -43,6 +43,11 @@ jobs:
     outputs:
       container-tag: ${{ steps.publish-container.outputs.container-tag }}
 
+    permissions:
+      attestations: write
+      contents: read
+      id-token: write
+
     strategy:
       fail-fast: false
       matrix:
@@ -111,6 +116,31 @@ jobs:
         flags: ${{ matrix.os-name }}
         token: ${{ secrets.CODECOV_TOKEN }}
 
+    - name: Docker log in
+      uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
+      if: env.PUBLISH_CONTAINER == 'true'
+      with:
+        registry: ${{ env.CONTAINER_REGISTRY }}
+        username: ${{ secrets.ACR_REGISTRY_USERNAME }}
+        password: ${{ secrets.ACR_REGISTRY_PASSWORD }}
+
+    - name: Publish container
+      id: publish-container
+      if: runner.os == 'Linux'
+      shell: pwsh
+      env:
+        ContainerRegistry: ${{ env.PUBLISH_CONTAINER == 'true' && env.CONTAINER_REGISTRY || '' }}
+      run: |
+        dotnet publish ./src/LondonTravel.Site --arch x64 --os linux -p:PublishProfile=DefaultContainer
+
+    - name: Attest container image
+      uses: actions/attest-build-provenance@v1
+      if: steps.publish-container.outputs.container-digest != ''
+      with:
+        push-to-registry: true
+        subject-digest: ${{ steps.publish-container.outputs.container-digest }}
+        subject-name: ${{ steps.publish-container.outputs.container-image }}
+
     - name: Publish screenshots
       uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       if: ${{ !cancelled() }}
@@ -135,27 +165,6 @@ jobs:
         path: ./artifacts/videos/*
         if-no-files-found: ignore
 
-    - name: Docker log in
-      uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
-      if: env.PUBLISH_CONTAINER == 'true'
-      with:
-        registry: ${{ env.CONTAINER_REGISTRY }}
-        username: ${{ secrets.ACR_REGISTRY_USERNAME }}
-        password: ${{ secrets.ACR_REGISTRY_PASSWORD }}
-
-    - name: Publish container
-      id: publish-container
-      if: ${{ runner.os == 'Linux' }}
-      shell: pwsh
-      env:
-        ContainerRegistry: ${{ env.PUBLISH_CONTAINER == 'true' && env.CONTAINER_REGISTRY || '' }}
-      run: |
-        dotnet publish ./src/LondonTravel.Site --arch x64 --os linux -p:PublishProfile=DefaultContainer
-        if (-Not [string]::IsNullOrWhiteSpace(${env:CONTAINER_REGISTRY})) {
-          $containerTag = "${env:CONTAINER_REGISTRY}/${env:GITHUB_REPOSITORY}:github-${env:GITHUB_RUN_NUMBER}".ToLowerInvariant()
-          "container-tag=${containerTag}" >> "${env:GITHUB_OUTPUT}"
-        }
-
   deploy-dev:
     if: github.event.repository.fork == false && github.ref_name == github.event.repository.default_branch
     name: dev

diff --git a/.github/workflows/lighthouse.yml b/.github/workflows/lighthouse.yml
@@ -85,7 +85,7 @@ jobs:
 
     - name: Publish artifacts
       uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
-      if: ${{ always() }}
+      if: ${{ !cancelled() }}
       with:
         name: lighthouse
         path: ${{ github.workspace }}/artifacts/lighthouse

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -28,12 +28,13 @@ jobs:
     steps:
 
     - name: Checkout code
-      uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
 
     - name: Add actionlint problem matcher
       run: echo "::add-matcher::.github/actionlint-matcher.json"
 
     - name: Lint workflows
       uses: docker://rhysd/actionlint@sha256:daa1edae4a6366f320b68abb60b74fb59a458c17b61938d3c62709d92b231558 # v1.6.27
       with:
-        args: -color
+        # Remove -ignore once v1.6.28 released - see https://github.com/rhysd/actionlint/pull/418#issuecomment-2089713941
+        args: -color -ignore "attestations"
diff --git a/Directory.Build.props b/Directory.Build.props
@@ -21,7 +21,6 @@
     <Deterministic>true</Deterministic>
     <EmbedUntrackedSources>true</EmbedUntrackedSources>
     <EnableNETAnalyzers>true</EnableNETAnalyzers>
-    <EnableSdkContainerSupport>true</EnableSdkContainerSupport>
     <EnforceCodeStyleInBuild>true</EnforceCodeStyleInBuild>
     <GenerateAssemblyProductAttribute>false</GenerateAssemblyProductAttribute>
     <GenerateGitMetadata Condition=" '$(CI)' != '' and '$(GenerateGitMetadata)' == '' ">true</GenerateGitMetadata>

diff --git a/src/LondonTravel.Site/LondonTravel.Site.csproj b/src/LondonTravel.Site/LondonTravel.Site.csproj
@@ -82,4 +82,14 @@
     <Warning Condition=" $(_PseudoLocalizeInstalled) != 0 " Text="The PseudoLocalize .NET Global Tool is not installed. To install this tool, run the following command: dotnet tool restore" />
     <Exec Condition=" $(_PseudoLocalizeInstalled) == 0 " Command="pseudo-localize %(_PseudoLocalizedFiles.Identity) --overwrite --force" ConsoleToMsBuild="true" StandardOutputImportance="Normal" />
   </Target>
+  <Target Name="SetGitHubContainerOutputs" AfterTargets="PublishContainer" Condition=" '$(GITHUB_OUTPUT)' != '' AND '$(ContainerRegistry)' != '' ">
+    <PropertyGroup>
+      <_ContainerImage>$(ContainerRegistry)/$(ContainerRepository)</_ContainerImage>
+      <_ContainerImage>$(_ContainerImage.ToLowerInvariant())</_ContainerImage>
+      <_ContainerTag>$(_ContainerImage):github-$(GITHUB_RUN_NUMBER)</_ContainerTag>
+    </PropertyGroup>
+    <WriteLinesToFile File="$(GITHUB_OUTPUT)" Lines="container-digest=$(GeneratedContainerDigest)" />
+    <WriteLinesToFile File="$(GITHUB_OUTPUT)" Lines="container-image=$(_ContainerImage)" />
+    <WriteLinesToFile File="$(GITHUB_OUTPUT)" Lines="container-tag=$(_ContainerTag)" />
+  </Target>
 </Project>