feat: Dockerfile attestation and signing

Lissy93 · Lissy93 · commit 010332774187 · 2025-04-06T14:23:45.000+01:00
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -1,3 +1,20 @@
+# This is a GitHub Actions workflow to make the Docker image
+
+# It's triggered on either:
+# A) Pushes to the main branch, which will update the :latest tag
+# B) The creation of a new git tag, which will create a new version tag :x.x.x
+# C) Manual workflow runs with a custom tag, to publish a temp feature image
+
+# The workflow does the following:
+# 1. Checks out the code
+# 2. Sets up QEMU for multi-arch builds, and Buildx for advanced building
+# 3. Authenticates with registries (DockerHub, GHCR)
+# 4. Determines the Docker tags based on the branch or tag
+# 5. Builds the Docker image for specified architectures
+# 6. Pushes the Docker image to authenticated registries
+# 7. Generates an SBOM in SPDX for the included dependencies
+# 8. Attests and pushes the build provenance and SBOM to registries
+
 name: 🐳 Build & Push Docker Image
 
 on:
@@ -6,11 +23,34 @@ on:
       - main
     tags:
       - 'v*'
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: 'Run build without pushing image?'
+        required: false
+        default: 'false'
+
+permissions:
+  id-token: write
+  contents: read
+  attestations: write
+  packages: write
 
 jobs:
   build-and-push:
     runs-on: ubuntu-latest
 
+    strategy:
+      matrix:
+        target: [dockerhub, ghcr]
+        include:
+          - target: dockerhub
+            registry: docker.io
+            image: lissy93/domain-locker
+          - target: ghcr
+            registry: ghcr.io
+            image: ghcr.io/lissy93/domain-locker
+
     steps:
       - name: Check out repo
         uses: actions/checkout@v4
@@ -22,35 +62,77 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: Login to Docker Hub
+        if: matrix.target == 'dockerhub'
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
       - name: Login to GitHub Container Registry
+        if: matrix.target == 'ghcr'
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-          # username: liss-bot
-          # password: ${{ secrets.BOT_TOKEN }}
 
       - name: Determine Docker Tags
         id: docker_tags
         run: |
           if [[ "${GITHUB_REF}" == refs/tags/v* ]]; then
             RAW_VERSION="${GITHUB_REF#refs/tags/v}"
-            echo "tags=lissy93/domain-locker:${RAW_VERSION},ghcr.io/lissy93/domain-locker:${RAW_VERSION}" >> $GITHUB_OUTPUT
+            echo "tag_name=${RAW_VERSION}" >> $GITHUB_OUTPUT
+            echo "is_tagged=true" >> $GITHUB_OUTPUT
+            echo "tags=${{ matrix.image }}:${RAW_VERSION}" >> $GITHUB_OUTPUT
           else
-            # On main branch
-            echo "tags=lissy93/domain-locker:latest,ghcr.io/lissy93/domain-locker:latest" >> $GITHUB_OUTPUT
+            echo "tag_name=latest" >> $GITHUB_OUTPUT
+            echo "is_tagged=false" >> $GITHUB_OUTPUT
+            echo "tags=${{ matrix.image }}:latest" >> $GITHUB_OUTPUT
           fi
-        
+
       - name: Build & Push Multi-Arch Docker Image
+        id: build
         uses: docker/build-push-action@v5
         with:
           context: .
-          push: true
+          push: ${{ github.event_name != 'workflow_dispatch' || github.event.inputs.dry_run != 'true' }}
           tags: ${{ steps.docker_tags.outputs.tags }}
           platforms: linux/amd64,linux/arm64
+          provenance: false
+          outputs: type=registry
+          labels: |
+            org.opencontainers.image.source=https://github.com/${{ github.repository }}
+            org.opencontainers.image.version=${{ steps.docker_tags.outputs.tag_name }}
+            org.opencontainers.image.revision=${{ github.sha }}
+
+      - name: Extract digest from Docker image
+        id: digest
+        run: |
+          echo "digest=${{ steps.build.outputs.digest }}" >> $GITHUB_OUTPUT
+
+      - name: Generate SBOM (SPDX)
+        if: github.event_name != 'workflow_dispatch' || github.event.inputs.dry_run != 'true'
+        id: sbom
+        uses: anchore/sbom-action@v0.15.4
+        with:
+          image: ${{ matrix.image }}:${{ steps.docker_tags.outputs.tag_name }}
+          format: spdx-json
+          output-file: sbom.spdx.json
+
+      - name: Generate provenance attestation
+        if: github.event_name != 'workflow_dispatch' || github.event.inputs.dry_run != 'true'
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ matrix.image }}
+          subject-digest: ${{ steps.digest.outputs.digest }}
+          push-to-registry: true
+
+      - name: Attest SBOM to registry
+        if: github.event_name != 'workflow_dispatch' || github.event.inputs.dry_run != 'true'
+        uses: actions/attest-sbom@v1
+        with:
+          subject-name: ${{ matrix.image }}
+          subject-digest: ${{ steps.digest.outputs.digest }}
+          sbom-path: sbom.spdx.json
+          push-to-registry: true
+
