From 65d30d631922fb07485725cef2fece2181e10fd5 Mon Sep 17 00:00:00 2001
From: Reaper Gelera <ahoy@barelyhuman.dev>
Date: Fri, 3 May 2024 18:32:08 +0530
Subject: [PATCH] ci: add attestation

---
 .github/workflows/docker-pub.yml | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/docker-pub.yml b/.github/workflows/docker-pub.yml
index f04eb55..7e9c1cf 100644
--- a/.github/workflows/docker-pub.yml
+++ b/.github/workflows/docker-pub.yml
@@ -7,15 +7,12 @@ jobs:
     name: Buid and push Docker image to GitHub Container registry
     runs-on: ubuntu-latest
     permissions:
-      packages: write
       contents: read
+      packages: write
+      attestations: write
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v2
-
-      - name: Build Meta
-        run: echo "::set-output name=dtag::ghcr.io/barelyhuman/goblin:nightly"
-        id: meta
+        uses: actions/checkout@v4
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -29,8 +26,13 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Build Meta
+        run: echo "::set-output name=dtag::ghcr.io/barelyhuman/goblin:nightly"
+        id: meta
+
       - name: Build and push
         uses: docker/build-push-action@v5
+        id: push
         env:
           REGISTRY: ghcr.io
           OWNER: ${{ github.repository_owner }}
@@ -41,3 +43,10 @@ jobs:
           platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ steps.meta.outputs.dtag }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ghcr.io/barelyhuman/goblin:nightly
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true