Will this create provenance? (#35)

TomHennen · web-flow · commit 7d9f1edef36c · 2024-12-27T16:08:17.000-05:00
* Will this create provenance?

* newline
diff --git a/.github/workflows/build-tools.yml b/.github/workflows/build-tools.yml
@@ -38,3 +38,4 @@ jobs:
         imagename: ghcr.io/${{ github.repository }}/${{ matrix.tool }}
         registry: 'ghcr.io'
         github_token: ${{ secrets.GITHUB_TOKEN }}
+        publish_provenance_for_private_repo: true
diff --git a/publish/actions/container/action.yml b/publish/actions/container/action.yml
@@ -15,6 +15,10 @@ inputs:
   github_token:
     description: "GitHub token with write access"
     required: true
+  publish_provenance_for_private_repo:
+    description: "Publish provenance to Sigstore for a private repo"
+    required: false
+    default: false
 
 runs:
   using: "composite"
@@ -49,3 +53,13 @@ runs:
       labels: ${{ steps.meta.outputs.labels }}
       cache-from: type=gha
       cache-to: type=gha,mode=max
+  - name: Provenance
+    if: startsWith(github.ref, 'refs/tags/')
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
+    with:
+      image: ${{ push.outputs.image }}
+      digest: ${{ push.outputs.digest }}
+      registry-username: ${{ github.actor }}
+      private-repository: ${{ inputs.publish_provenance_for_private_repo }}
+    secrets:
+      registry-password: ${{ inputs.github_token }}
