From 3de10afc5c34bf17b2a375f930f32a8fdde6cb08 Mon Sep 17 00:00:00 2001
From: Artyom Pervukhin <github@artyom.dev>
Date: Sat, 23 Nov 2024 14:09:37 +0100
Subject: [PATCH] Generate build provenance attestation

---
 .github/workflows/publish.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 8490073..c944b71 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -23,6 +23,7 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ github.token }}
       - uses: docker/build-push-action@v6
+        id: push
         with:
           push: true
           platforms: |
@@ -33,3 +34,8 @@ jobs:
           outputs: type=image,oci-mediatypes=true,compression=zstd,compression-level=6,force-compression=true
           cache-from: type=gha
           cache-to: type=gha,mode=max
+      - uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ghcr.io/${{ github.repository }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true