From 3c5e207bb290dbb9f3e374b3ff1365f64fe69971 Mon Sep 17 00:00:00 2001
From: vickunwu <31735039+vickunwu@users.noreply.github.com>
Date: Thu, 16 Jan 2025 16:43:23 +0800
Subject: [PATCH] Add attestation for Docker image

---
 .github/workflows/ci.yml | 35 ++++++++++++++++++++++++++++++++---
 1 file changed, 32 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d9f206199..ac9a24de4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -28,6 +28,11 @@ concurrency:
 
 jobs:
   linux:
+    permissions:
+      id-token: write
+      contents: write
+      attestations: write
+      packages: write
     strategy:
       fail-fast: false
       matrix:
@@ -125,7 +130,9 @@ jobs:
           skip-extraction: ${{ steps.cargo-cache.outputs.cache-hit }} && ${{ steps.apt-cache.outputs.cache-hit }}
 
       - name: Build Artifact
-        uses: docker/bake-action@v6
+        id: build
+        # bake-action@v6 seems to have some problems with cross-arch build, so sticks to v5 for now
+        uses: docker/bake-action@v5
         env:
           TARGET: ${{matrix.target}}
           DOCKER_BUILD_RECORD_UPLOAD: false
@@ -147,6 +154,28 @@ jobs:
             ./artifact
             !./artifact/*.json
 
+      - name: Get image digest
+        id: image-digest
+        if: (github.event_name == 'push' || inputs.Docker) && (startsWith(matrix.target, 'x86') || startsWith(matrix.target, 'aarch64'))
+        run: |
+          echo "image_digest=$(echo '${{ steps.build.outputs.metadata }}' | jq -r '.image.["containerimage.digest"]')" >> "$GITHUB_OUTPUT"
+
+      - name: Attest Dockerhub
+        uses: actions/attest-build-provenance@v2
+        if: (github.event_name == 'push' || inputs.Docker) && (startsWith(matrix.target, 'x86') || startsWith(matrix.target, 'aarch64'))
+        with:
+          subject-name: index.docker.io/${{github.repository}}
+          subject-digest: ${{ steps.image-digest.outputs.image_digest }}
+          push-to-registry: true
+
+      - name: Attest GHCR
+        uses: actions/attest-build-provenance@v2
+        if: (github.event_name == 'push' || inputs.Docker) && (startsWith(matrix.target, 'x86') || startsWith(matrix.target, 'aarch64'))
+        with:
+          subject-name: ghcr.io/${{github.repository}}
+          subject-digest: ${{ steps.image-digest.outputs.image_digest }}
+          push-to-registry: true
+
   windows:
     name: Build / ${{matrix.target}}
     runs-on: windows-latest
@@ -226,7 +255,7 @@ jobs:
     name: Release
     permissions:
       id-token: write
-      contents: read
+      contents: write
       attestations: write
     if: github.event_name == 'push' || inputs.Release
     needs: [linux, windows, macos]
@@ -262,7 +291,7 @@ jobs:
               compress_files "$dir_name"
           done
 
-      - name: Attest
+      - name: Attest binary
         uses: actions/attest-build-provenance@v2
         with:
           subject-path: |