From 5d304e2302899925e85ecef0082be470256394b9 Mon Sep 17 00:00:00 2001
From: MASES Public Developers Team
<94312179+masesdevelopers@users.noreply.github.com>
Date: Fri, 20 Sep 2024 00:54:26 +0200
Subject: [PATCH] Added attestation on Docker images (#538)
---
.github/workflows/build.yaml | 16 ++++++++++++-
.github/workflows/docker.yaml | 23 ++++++++++++++++++-
tests/net/JNetWPFTest/JNetWPFTest.csproj | 2 +-
.../JNetWinFormsTest/JNetWinFormsTest.csproj | 2 +-
4 files changed, 39 insertions(+), 4 deletions(-)
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 1dee8fbd1a..f5a585a79e 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -66,6 +66,11 @@ jobs:
needs: check_changes
if: "always() && needs.check_changes.outputs.run_build_windows == 'true'"
runs-on: ubuntu-latest
+ permissions:
+ id-token: write
+ packages: write
+ contents: read
+ attestations: write
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
@@ -119,6 +124,7 @@ jobs:
ghcr.io/${{ github.repository_owner }}/jnet
- name: Build and push
+ id: push
uses: docker/build-push-action@v6
with:
file: ./src/container/Dockerfile.linux
@@ -129,7 +135,15 @@ jobs:
labels: ${{ steps.meta.outputs.labels }}
provenance: true
sbom: true
-
+
+ - name: Attest Docker Hub
+ uses: actions/attest-build-provenance@v1
+ id: attest
+ with:
+ subject-name: index.docker.io/masesgroup/jnet
+ subject-digest: ${{ steps.push.outputs.digest }}
+ push-to-registry: true
+
# Now run "build_windows"
build_windows:
needs: check_changes
diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
index a0e0d9375c..5181163362 100644
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -13,6 +13,11 @@ on:
jobs:
build_container_linux:
runs-on: ubuntu-latest
+ permissions:
+ id-token: write
+ packages: write
+ contents: read
+ attestations: write
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
@@ -73,6 +78,7 @@ jobs:
ghcr.io/${{ github.repository_owner }}/jnet
- name: Build and push
+ id: push
uses: docker/build-push-action@v6
with:
file: ./src/container/Dockerfile.linux
@@ -83,4 +89,19 @@ jobs:
labels: ${{ steps.meta.outputs.labels }}
provenance: true
sbom: true
-
\ No newline at end of file
+
+ - name: Attest Docker Hub
+ uses: actions/attest-build-provenance@v1
+ id: attest1
+ with:
+ subject-name: index.docker.io/masesgroup/jnet
+ subject-digest: ${{ steps.push.outputs.digest }}
+ push-to-registry: true
+
+ - name: Attest GitHub
+ uses: actions/attest-build-provenance@v1
+ id: attest2
+ with:
+ subject-name: ghcr.io/${{ github.repository_owner }}/jnet
+ subject-digest: ${{ steps.push.outputs.digest }}
+ push-to-registry: true
\ No newline at end of file
diff --git a/tests/net/JNetWPFTest/JNetWPFTest.csproj b/tests/net/JNetWPFTest/JNetWPFTest.csproj
index ecdf7da3df..d3a81709e4 100644
--- a/tests/net/JNetWPFTest/JNetWPFTest.csproj
+++ b/tests/net/JNetWPFTest/JNetWPFTest.csproj
@@ -7,7 +7,7 @@
MASES.JNetWPFTest
JNetWPFTest - a test tool for JNet
JNetWPFTest - a test tool for JNet
- net462;net6.0-windows;net7.0-windows
+ net462;net6.0-windows;net8.0-windows
diff --git a/tests/net/JNetWinFormsTest/JNetWinFormsTest.csproj b/tests/net/JNetWinFormsTest/JNetWinFormsTest.csproj
index f6936cd44f..47cdda5e67 100644
--- a/tests/net/JNetWinFormsTest/JNetWinFormsTest.csproj
+++ b/tests/net/JNetWinFormsTest/JNetWinFormsTest.csproj
@@ -8,7 +8,7 @@
MASES.JNetWinFormsTest
JNetWinFormsTest - a test tool for JNet
JNetWinFormsTest - a test tool for JNet
- net462;net6.0-windows;net7.0-windows
+ net462;net6.0-windows;net8.0-windows
$(DefineConstants);WINFORMS