From 112f42eea906b3498d071a02f0129ec7e4f262a0 Mon Sep 17 00:00:00 2001
From: Geoff Wilson <geoff@gr-oss.io>
Date: Tue, 10 Feb 2026 10:07:39 -0500
Subject: [PATCH 1/2] Fixes error with incorrect sha format for attestation

Signed-off-by: Geoff Wilson <geoff@gr-oss.io>
---
 .github/workflows/docker-build.yml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index c0e37ee..b19464b 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -120,6 +120,7 @@ jobs:
           platforms: linux/amd64
 
       - name: Push to registries
+        id: push
         run: |
           for registry in ${{ steps.registries.outputs.registries }}; do
             echo "Pushing to ${registry}..."
@@ -130,10 +131,16 @@ jobs:
             done
           done
 
+          # Capture the image digest from ghcr.io for attestation
+          first_tag=$(echo "${{ steps.tags.outputs.tags }}" | awk '{print $1}')
+          digest=$(docker inspect --format='{{index .RepoDigests 0}}' "ghcr.io/pulp/${{ env.IMAGE_NAME }}:${first_tag}" | cut -d'@' -f2)
+          echo "digest=${digest}" >> $GITHUB_OUTPUT
+          echo "Image digest: ${digest}"
+
       - name: Generate artifact attestation
         if: github.event_name != 'pull_request'
         uses: actions/attest-build-provenance@v1
         with:
           subject-name: ghcr.io/pulp/${{ env.IMAGE_NAME }}
-          subject-digest: ${{ hashFiles('Dockerfile') }}
+          subject-digest: ${{ steps.push.outputs.digest }}
           push-to-registry: true

From 0107a147506392ecbd7d52159a8f8407f6cdcbb6 Mon Sep 17 00:00:00 2001
From: Geoff Wilson <geoff@gr-oss.io>
Date: Tue, 10 Feb 2026 10:25:30 -0500
Subject: [PATCH 2/2] Additional attestation fix

Signed-off-by: Geoff Wilson <geoff@gr-oss.io>
---
 .github/workflows/docker-build.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index b19464b..9ea3cd7 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -24,6 +24,7 @@ jobs:
       contents: read
       packages: write
       id-token: write
+      attestations: write
 
     steps:
       - name: Checkout code