From cfa89e3d4a13e503ff1a1c677f6aa722181f8399 Mon Sep 17 00:00:00 2001
From: Ivan Chepurin <ivan.chepurin@immutable.com>
Date: Tue, 24 Jun 2025 09:28:50 +1000
Subject: [PATCH] SRE-2916: Publish build attestation to GH.

---
 .github/actions/push/action.yaml |  6 ++++++
 .github/workflows/main.yaml      | 13 +++++++++++++
 .github/workflows/release.yaml   | 13 +++++++++++++
 3 files changed, 32 insertions(+)

diff --git a/.github/actions/push/action.yaml b/.github/actions/push/action.yaml
index 3fb5d0e0d..f27c4f07d 100644
--- a/.github/actions/push/action.yaml
+++ b/.github/actions/push/action.yaml
@@ -16,6 +16,11 @@ inputs:
     required: false
     type: string
 
+outputs:
+  digest:
+    description: "The digest of the built image"
+    value: ${{ steps.build.outputs.digest }}
+
 runs:
   using: "composite"
   steps:
@@ -67,6 +72,7 @@ runs:
         endpoint: builders
 
     - name: Build and push
+      id: build
       uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # pin@v6.15.0
       with:
         context: .
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index 23aea9eff..0026009f2 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -10,6 +10,10 @@ jobs:
   push:
     name: Push Docker
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      attestations: write
+      packages: write
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin@v4.2.2
@@ -23,6 +27,15 @@ jobs:
           echo TAGS="ghcr.io/${{ github.repository }}/immutable-geth:unstable-$BUILD_TIMESTAMP-git.$SHORT_SHA" >> $GITHUB_ENV
 
       - uses: ./.github/actions/push
+        id: push
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           tags: ${{ env.TAGS }}
+
+      - name: Attest
+        uses: actions/attest-build-provenance@v2
+        id: attest
+        with:
+          subject-name: ghcr.io/${{ github.repository }}/immutable-geth
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: false
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 69b760045..3fcaec93e 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -8,6 +8,10 @@ jobs:
   push:
     name: Push Docker
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      attestations: write
+      packages: write
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin@v4.2.2
@@ -16,6 +20,15 @@ jobs:
         run: echo "TAG=$(echo ${GITHUB_REF} | sed 's/refs\/tags\///')" >> $GITHUB_ENV
 
       - uses: ./.github/actions/push
+        id: push
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           tags: "ghcr.io/${{ github.repository }}/immutable-geth:latest,ghcr.io/${{ github.repository }}/immutable-geth:${{ env.TAG }}"
+      
+      - name: Attest
+        uses: actions/attest-build-provenance@v2
+        id: attest
+        with:
+          subject-name: ghcr.io/${{ github.repository }}/immutable-geth
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: false