Add artifact attestation step to Docker workflow for improved supply chain security

nick-hann · nick-hann · commit a30483a945b8 · 2025-03-28T19:33:23.000+09:00
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -8,6 +8,10 @@ jobs:
   push_to_docker_hub:
     name: Push to Docker Hub
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      attestations: write
+      id-token: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -30,9 +34,17 @@ jobs:
             type=sha
 
       - name: Build and push Docker image
+        id: push
         uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671
         with:
           context: .
           push: true
           tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }} 
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: index.docker.io/hanqyu/mcp-github-sse
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true 
