From 337d7c72a6b23cdc2d94ba3623219db297b2db5d Mon Sep 17 00:00:00 2001
From: Marcel <MTRNord@users.noreply.github.com>
Date: Thu, 18 Jul 2024 10:44:56 +0200
Subject: [PATCH] Add SBOM and Attestation to the Docker release process (#477)

* feat: Add SBOM and Attestation to the Docker release process. Also ensure we only deploy platforms on the qemu action as needed and update versions.

This also limits the permissions used

* fix: Make sure there is an empty line at the end of the file

* Fix the qemu platforms
---
 .github/workflows/docker-hub-develop.yml | 20 ++++++++++++++++++--
 .github/workflows/docker-hub-latest.yml  | 21 +++++++++++++++++++--
 .github/workflows/docker-hub-release.yml | 21 +++++++++++++++++++--
 3 files changed, 56 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/docker-hub-develop.yml b/.github/workflows/docker-hub-develop.yml
index 4cb6eaa4..88c65579 100644
--- a/.github/workflows/docker-hub-develop.yml
+++ b/.github/workflows/docker-hub-develop.yml
@@ -16,6 +16,11 @@ env:
 jobs:
   docker-latest:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+      attestations: write
     steps:
       - name: Check out
         uses: actions/checkout@v4
@@ -26,10 +31,12 @@ jobs:
 
       # Needed for multi platform builds
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.0.0
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: ${{ env.PLATFORMS }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3.3.0
+        uses: docker/setup-buildx-action@v3
 
       - name: Log in to Docker Hub
         uses: docker/login-action@v3
@@ -38,6 +45,7 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Build image
+        id: push
         uses: docker/build-push-action@v5
         with:
           context: .
@@ -46,3 +54,11 @@ jobs:
           push: ${{ env.PUSH }}
           tags: |
             ${{ env.DOCKER_NAMESPACE }}/draupnir:develop
+
+      - name: Attest
+        uses: actions/attest-build-provenance@v1
+        id: attest
+        with:
+          subject-name: ${{ env.DOCKER_NAMESPACE }}/draupnir:develop
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
diff --git a/.github/workflows/docker-hub-latest.yml b/.github/workflows/docker-hub-latest.yml
index ddcec01d..38110dbe 100644
--- a/.github/workflows/docker-hub-latest.yml
+++ b/.github/workflows/docker-hub-latest.yml
@@ -14,6 +14,11 @@ env:
 jobs:
   docker-release:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+      attestations: write
     steps:
       - name: Check out
         uses: actions/checkout@v4
@@ -26,10 +31,12 @@ jobs:
 
       # Needed for multi platform builds
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.0.0
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: ${{ env.PLATFORMS }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3.3.0
+        uses: docker/setup-buildx-action@v3
 
       - name: Log in to Docker Hub
         uses: docker/login-action@v3
@@ -38,11 +45,21 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Build image
+        id: push
         uses: docker/build-push-action@v5
         with:
           context: .
           file: ./Dockerfile
           platforms: ${{ env.PLATFORMS }}
           push: true
+          sbom: true
           tags: |
             ${{ env.DOCKER_NAMESPACE }}/draupnir:latest
+
+      - name: Attest
+        uses: actions/attest-build-provenance@v1
+        id: attest
+        with:
+          subject-name: ${{ env.DOCKER_NAMESPACE }}/draupnir:latest
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
diff --git a/.github/workflows/docker-hub-release.yml b/.github/workflows/docker-hub-release.yml
index 03958c6d..aa080aa3 100644
--- a/.github/workflows/docker-hub-release.yml
+++ b/.github/workflows/docker-hub-release.yml
@@ -14,6 +14,11 @@ env:
 jobs:
   docker-release:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+      attestations: write
     steps:
       - name: Check out
         uses: actions/checkout@v4
@@ -26,10 +31,12 @@ jobs:
 
       # Needed for multi platform builds
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.0.0
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: ${{ env.PLATFORMS }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3.3.0
+        uses: docker/setup-buildx-action@v3
 
       - name: Log in to Docker Hub
         uses: docker/login-action@v3
@@ -38,11 +45,21 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Build image
+        id: push
         uses: docker/build-push-action@v5
         with:
           context: .
           file: ./Dockerfile
           platforms: ${{ env.PLATFORMS }}
           push: true
+          sbom: true
           tags: |
             ${{ env.DOCKER_NAMESPACE }}/draupnir:${{ env.RELEASE_VERSION }}
+
+      - name: Attest
+        uses: actions/attest-build-provenance@v1
+        id: attest
+        with:
+          subject-name: ${{ env.DOCKER_NAMESPACE }}/draupnir:${{ env.RELEASE_VERSION }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true