philips-software · rjaegers · Jan 14, 2025 · Jan 8, 2025 · Jan 8, 2025 · Jan 8, 2025
@@ -22,13 +22,13 @@ jobs:
   build-push:
     runs-on: ubuntu-latest
     permissions:
+      attestations: write
       # dependency-submission needs contents write permission.
       contents: write
+      # attest-build-provenance needs id-token write permission.
+      id-token: write
       packages: write
       pull-requests: write
-      # This is used to complete the identity challenge
-      # with sigstore/fulcio when running outside of PRs.
-      id-token: write
     strategy:
       matrix:
         flavor: ["cpp", "rust"]
@@ -39,8 +39,6 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
-      - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
-        if: github.event_name != 'merge_group'
       - uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
       - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         if: github.event_name != 'merge_group'
@@ -121,14 +119,18 @@ jobs:
         with:
           comment-summary-in-pr: on-failure
           fail-on-severity: critical
-      - name: Sign the images with GitHub OIDC token
+      - uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
+        if: github.event_name != 'merge_group'
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}
+          subject-digest: ${{ steps.build-and-push.outputs.digest }}
+          push-to-registry: true
+      - name: Verify attestation
         if: github.event_name != 'merge_group'
-        # This step uses the GitHub OIDC identity token to provision an ephemeral certificate
-        # against the sigstore community Fulcio instance.
         env:
-          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+          GH_TOKEN: ${{ github.token }}
         run: |
-          cosign sign --yes --recursive "${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@${DIGEST}"
+          gh attestation verify oci://${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }} --owner "$GITHUB_REPOSITORY_OWNER"
   acceptance-test:
     if: github.event_name == 'pull_request'
     needs: build-push

@@ -0,0 +1,16 @@
+---
+name: Package Published
+
+on:
+  registry_package:
+    types: [published]
+
+jobs:
+  attach-provenance-to-release:
+    runs-on: ubuntu-latest
+    steps:
+      - run: |
+          set -Eeuo pipefail
+          echo "${{ toJson(github.event.registry_package) }}" | jq .
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -20,13 +20,11 @@ jobs:
     permissions:
       packages: write
     steps:
-      - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
       - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - run: cosign clean -f --type=signature "${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}:pr-${{ github.event.pull_request.number }}"
       - uses: bots-house/ghcr-delete-image-action@3827559c68cb4dcdf54d813ea9853be6d468d3a4 # v1.1.0
         with:
           owner: ${{ github.repository_owner }}

@@ -3,7 +3,9 @@ name: Social Interaction
 
 on:
   issues:
+    types: [opened]
   pull_request:
+    types: [opened]
 
 permissions:
   contents: read