ci: add container image attestation (#10478)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

.github/workflows/ci-main.yml

@@ -213,6 +213,9 @@ jobs:
     permissions:
       # Needed to upload contianer images to ghcr.io
       packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
     timeout-minutes: 120
     steps:
       - uses: actions/checkout@v4
@@ -241,6 +244,7 @@ jobs:
         run: make gen-client-ts
       - name: Build Docker Image
         uses: docker/build-push-action@v6
+        id: push
         with:
           context: .
           secrets: |
@@ -253,6 +257,12 @@ jobs:
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache
           cache-to: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max
           platforms: linux/${{ matrix.arch }}
+      - uses: actions/attest-build-provenance@v1
+        id: attest
+        with:
+          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: ${{ steps.ev.outputs.shouldBuild == 'true' }}
   pr-comment:
     needs:
       - build
@@ -276,4 +286,4 @@ jobs:
       - name: Comment on PR
         uses: ./.github/actions/comment-pr-instructions
         with:
-          tag: gh-${{ steps.ev.outputs.imageMainTag }}
+          tag: ${{ steps.ev.outputs.imageMainTag }}

.github/workflows/ci-outpost.yml

@@ -71,6 +71,9 @@ jobs:
     permissions:
       # Needed to upload contianer images to ghcr.io
       packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@v4
         with:
@@ -96,6 +99,7 @@ jobs:
       - name: Generate API
         run: make gen-client-go
       - name: Build Docker Image
+        id: push
         uses: docker/build-push-action@v6
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
@@ -107,6 +111,12 @@ jobs:
           context: .
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
           cache-to: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache,mode=max
+      - uses: actions/attest-build-provenance@v1
+        id: attest
+        with:
+          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: ${{ steps.ev.outputs.shouldBuild == 'true' }}
   build-binary:
     timeout-minutes: 120
     needs:

.github/workflows/release-publish.yml

@@ -11,6 +11,9 @@ jobs:
     permissions:
       # Needed to upload contianer images to ghcr.io
       packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@v4
       - name: Set up QEMU
@@ -41,6 +44,7 @@ jobs:
           mkdir -p ./gen-go-api
       - name: Build Docker Image
         uses: docker/build-push-action@v6
+        id: push
         with:
           context: .
           push: true
@@ -49,11 +53,20 @@ jobs:
             GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
           tags: ${{ steps.ev.outputs.imageTags }}
           platforms: linux/amd64,linux/arm64
+      - uses: actions/attest-build-provenance@v1
+        id: attest
+        with:
+          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
   build-outpost:
     runs-on: ubuntu-latest
     permissions:
       # Needed to upload contianer images to ghcr.io
       packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
     strategy:
       fail-fast: false
       matrix:
@@ -95,12 +108,19 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
         uses: docker/build-push-action@v6
+        id: push
         with:
           push: true
           tags: ${{ steps.ev.outputs.imageTags }}
           file: ${{ matrix.type }}.Dockerfile
           platforms: linux/amd64,linux/arm64
           context: .
+      - uses: actions/attest-build-provenance@v1
+        id: attest
+        with:
+          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
   build-outpost-binary:
     timeout-minutes: 120
     runs-on: ubuntu-latest
@@ -178,8 +198,8 @@ jobs:
           image-name: ghcr.io/goauthentik/server
       - name: Get static files from docker image
         run: |
-          docker pull ${{ steps.ev.outputs.imageMainTag }}
-          container=$(docker container create ${{ steps.ev.outputs.imageMainTag }})
+          docker pull ${{ steps.ev.outputs.imageMainName }}
+          container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
           docker cp ${container}:web/ .
       - name: Create a Sentry.io release
         uses: getsentry/action-release@v1