@@ -62,24 +62,34 @@ jobs:
6262 tags : ${{ steps.meta.outputs.tags }}
6363 labels : ${{ steps.meta.outputs.labels }}
6464
65+ - name : Install Cosign
66+ uses : sigstore/cosign-installer@v3
67+
6568 - name : Generate SBOM for container image
6669 uses : anchore/sbom-action@v0
6770 with :
6871 image : ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push.outputs.digest }}
6972 output-file : build-sample-sbom.spdx.json
7073 artifact-name : " build-sample-sbom.spdx.json"
7174
72- - name : Generate build provenance attestation
73- uses : actions/attest-build-provenance@v3
74- with :
75- subject-name : ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
76- subject-digest : ${{ steps.push.outputs.digest }}
77- push-to-registry : true
75+ - name : Sign container image with Cosign
76+ run : |
77+ cosign sign --yes \
78+ ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push.outputs.digest }}
7879
79- - name : Generate SBOM attestation
80- uses : actions/attest-sbom@v2
81- with :
82- subject-name : ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
83- subject-digest : ${{ steps.push.outputs.digest }}
84- sbom-path : " build-sample-sbom.spdx.json"
85- push-to-registry : true
80+ name : Attest SBOM with Cosign
81+ run : |
82+ cosign attest --yes \
83+ --predicate build-sample-sbom.spdx.json \
84+ --type spdx \
85+ ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push.outputs.digest }}
86+
87+ name : Generate and attest SLSA provenance with Cosign
88+ run : |
89+ cosign attest --yes \
90+ --predicate <(cosign generate-slsa-provenance \
91+ --repo ${{ github.repository }} \
92+ --run-id ${{ github.run_id }} \
93+ --sha ${{ github.sha }}) \
94+ --type slsaprovenance \
95+ ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push.outputs.digest }}
0 commit comments