Add provenance and SBOM (#145)

Author: brantburnett

.github/workflows/build.yml

@@ -21,7 +21,8 @@ jobs:
     steps:
       - uses: actions/checkout@v6
       - name: Get version
-        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
+        id: get_version
+        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
 
       - uses: actions/setup-node@v6
         with:
@@ -63,21 +64,24 @@ jobs:
         uses: docker/build-push-action@v6
         with:
           context: .
-          platforms: linux/amd64
+          platforms: linux/amd64,linux/arm64
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          annotations: ${{ steps.meta.outputs.annotations }}
+          provenance: true
+          sbom: true
+          cache-to: type=inline
+          cache-from: type=registry,ref=brantburnett/couchbase-index-manager:latest
 
       - name: Publish to NPM
         if: startsWith(github.ref, 'refs/tags/') # Only on tags
         run: |
-          npm run lerna -- version ${{ env.RELEASE_VERSION }} --no-git-tag-version --exact -y &&
+          npm run lerna -- version ${{ steps.get_version.outputs.RELEASE_VERSION }} --no-git-tag-version --exact -y &&
           pushd packages/couchbase-index-manager && npm publish && popd &&
           pushd packages/couchbase-index-manager-cli && npm publish && popd
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
 
       - name: Pack NPM
         if: ${{!startsWith(github.ref, 'refs/tags/')}} # Only on non-tags

Dockerfile

@@ -1,4 +1,4 @@
-FROM node:20 as build
+FROM node:20 AS build
 
 WORKDIR /app
 COPY ["package*.json", "lerna.json", "./"]