diff --git a/.github/workflows/reusable-release.yaml b/.github/workflows/reusable-release.yaml index a08b1106d4..7ed82e278d 100644 --- a/.github/workflows/reusable-release.yaml +++ b/.github/workflows/reusable-release.yaml @@ -25,6 +25,7 @@ jobs: id-token: write # For cosign packages: write # For GHCR contents: read # Not required for public repositories, but for clarity + attestations: write # For build provenance attestations steps: - name: Cosign install uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 @@ -85,6 +86,7 @@ jobs: mkdir tmp - name: GoReleaser + id: goreleaser uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0 with: version: v2.1.0 @@ -115,6 +117,12 @@ jobs: ghcr.io/aquasecurity/trivy:canary public.ecr.aws/aquasecurity/trivy:canary + - name: Generate build provenance attestations + if: ${{ inputs.goreleaser_config != 'goreleaser-canary.yml' }} + uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0 + with: + subject-checksums: dist/trivy_${{ fromJSON(steps.goreleaser.outputs.metadata).version }}_checksums.txt + - name: Cache Trivy binaries uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: