From 656bdb5531e4da9c1701d4c902d3e6b31af79765 Mon Sep 17 00:00:00 2001 From: Till Wegmueller Date: Sat, 29 Nov 2025 17:36:35 +0100 Subject: [PATCH] fix: move attestation to multi-platform manifest creation --- .github/workflows/release.yml | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5027242..dcb127e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -70,19 +70,13 @@ jobs: VERSION=${{ github.ref_name }} REVISION=${{ github.sha }} - - name: Generate artifact attestation - uses: actions/attest-build-provenance@v1 - with: - subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - subject-digest: ${{ steps.build.outputs.digest }} - push-to-registry: true - create-manifest: runs-on: ubuntu-latest needs: build-platform permissions: contents: read packages: write + id-token: write steps: - name: Log in to GitHub Container Registry @@ -104,6 +98,7 @@ jobs: type=sha,prefix=sha- - name: Create and push multi-platform manifest + id: manifest run: | # Extract tags into an array TAGS=$(echo '${{ steps.meta.outputs.tags }}' | tr '\n' ' ') @@ -116,6 +111,18 @@ jobs: ${TAG}-arm64 done + # Get the digest of the first tag (version tag) for attestation + FIRST_TAG=$(echo '${{ steps.meta.outputs.tags }}' | head -n1) + DIGEST=$(docker buildx imagetools inspect ${FIRST_TAG} --format '{{.Manifest.Digest}}') + echo "digest=${DIGEST}" >> $GITHUB_OUTPUT + + - name: Generate artifact attestation + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + subject-digest: ${{ steps.manifest.outputs.digest }} + push-to-registry: true + create-github-release: runs-on: ubuntu-latest needs: create-manifest