feat: add sconified image attestation

PierreJeanjacquot · PierreJeanjacquot · commit 9473cf6abe30 · 2025-06-24T14:10:23.000+02:00
diff --git a/.github/workflows/sconify.yml b/.github/workflows/sconify.yml
@@ -88,6 +88,9 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      attestations: write
     env:
       FROM_IMAGE: ${{ inputs.docker-registry }}/${{ inputs.image-name }}:${{ inputs.image-tag }}
       DEBUG_IMAGE: ${{ inputs.docker-registry }}/${{ inputs.image-name }}:${{ inputs.image-tag }}-scone-debug-${{ inputs.sconify-version }}
@@ -150,6 +153,14 @@ jobs:
           echo "checksum=$(docker image inspect $DEBUG_IMAGE | jq .[0].RepoDigests[0] | sed 's/"//g' | awk -F '@sha256:' '{print $2}')" >> "$GITHUB_OUTPUT"
           echo "mrenclave=$(docker run --rm -e SCONE_HASH=1 $DEBUG_IMAGE)" >> "$GITHUB_OUTPUT"
 
+      - name: Attest Debug Image
+        if: ${{ inputs.sconify-debug }}
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ env.DEBUG_IMAGE }}
+          subject-digest: sha256:${{ steps.push-debug.outputs.checksum }}
+          push-to-registry: true
+
       - name: Sconify Image Prod
         if: ${{ inputs.sconify-prod }}
         run: |
@@ -183,3 +194,11 @@ jobs:
           echo "image=$PROD_IMAGE" >> "$GITHUB_OUTPUT"
           echo "checksum=$(docker image inspect $PROD_IMAGE | jq .[0].RepoDigests[0] | sed 's/"//g' | awk -F '@sha256:' '{print $2}')" >> "$GITHUB_OUTPUT"
           echo "mrenclave=$(docker run --rm -e SCONE_HASH=1 $PROD_IMAGE)" >> "$GITHUB_OUTPUT"
+
+      - name: Attest Prod Image
+        if: ${{ inputs.sconify-prod }}
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ env.PROD_IMAGE }}
+          subject-digest: sha256:${{ steps.push-prod.outputs.checksum }}
+          push-to-registry: true
