feat: Attach sbom and provenance to images

PSanetra · PSanetra · commit e7ee1bed6e0d · 2024-08-09T11:02:49.000+02:00
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -44,16 +44,16 @@ jobs:
           nginx-tag: "${{ steps.target_nginx_tag.outputs.tag }}"
           matrix-nginx: "${{ matrix.nginx }}"
           docker-repository: "${{ vars.DOCKER_REPOSITORY }}"
-      - uses: docker/setup-qemu-action@v2
+      - uses: docker/setup-qemu-action@v3
         name: Set up QEMU
-      - uses: docker/setup-buildx-action@v2
+      - uses: docker/setup-buildx-action@v3
         name: Set up Docker Buildx
-      - uses: docker/login-action@v2
+      - uses: docker/login-action@v3
         name: Login to Docker Hub
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
-      - uses: docker/build-push-action@v4
+      - uses: docker/build-push-action@v6
         name: Build and push
         if: ${{ steps.target_tags.outputs.tags != '' }}
         with:
@@ -63,3 +63,5 @@ jobs:
           pull: true
           tags: ${{ steps.target_tags.outputs.tags }}
           build-args: NGINX_TAG=${{ steps.target_nginx_tag.outputs.tag }}
+          provenance: mode=max
+          sbom: true
diff --git a/.github/workflows/update.yaml b/.github/workflows/update.yaml
@@ -70,16 +70,16 @@ jobs:
         if: steps.check_if_update_is_necessary.outputs.needs_update == 'true'
       - run: "make test NGINX_TAG=\"${{ steps.target_nginx_tag.outputs.tag }}\""
         if: steps.check_if_update_is_necessary.outputs.needs_update == 'true'
-      - uses: docker/setup-qemu-action@v2
+      - uses: docker/setup-qemu-action@v3
         name: Set up QEMU
-      - uses: docker/setup-buildx-action@v2
+      - uses: docker/setup-buildx-action@v3
         name: Set up Docker Buildx
-      - uses: docker/login-action@v2
+      - uses: docker/login-action@v3
         name: Login to Docker Hub
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
-      - uses: docker/build-push-action@v4
+      - uses: docker/build-push-action@v6
         name: Build and push
         if: ${{ steps.check_if_update_is_necessary.outputs.needs_update == 'true' && steps.target_image_name.outputs.tags != '' }}
         with:
@@ -89,3 +89,5 @@ jobs:
           pull: true
           tags: ${{ steps.target_image_name.outputs.tags }}
           build-args: NGINX_TAG=${{ steps.target_nginx_tag.outputs.tag }}
+          provenance: mode=max
+          sbom: true
