Skip to content

Commit

Permalink
Bump GH attestations and fix the token permissions (#32)
Browse files Browse the repository at this point in the history
* Update build-binary-signed-ghat-malicious.yml

* Update build-binary-signed-ghat.yml

* Update build-image-signed-ghat-malicious.yml

* Update build-image-signed-ghat-static-copied.yml

* Update build-image-signed-ghat-static.yml

* Update build-image-signed-ghat.yml
  • Loading branch information
rdimitrov authored Aug 15, 2024
1 parent ae234a4 commit c2bb970
Show file tree
Hide file tree
Showing 6 changed files with 14 additions and 6 deletions.
4 changes: 3 additions & 1 deletion .github/workflows/build-binary-signed-ghat-malicious.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ jobs:
id-token: write
packages: write
contents: write
attestations: write

runs-on: ubuntu-latest
steps:
- name: Check out code
Expand All @@ -28,7 +30,7 @@ jobs:
go build -v -o demo-repo-go-binary ./...
- name: Sign artifact
uses: actions/attest-build-provenance@v1.0.0
uses: actions/attest-build-provenance@v1.4.1
with:
subject-path: '${{ github.workspace }}/demo-repo-go-binary'

Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/build-binary-signed-ghat.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ jobs:
id-token: write
packages: write
contents: write
attestations: write

runs-on: ubuntu-latest
steps:
- name: Check out code
Expand All @@ -24,7 +26,7 @@ jobs:
go build -v -o demo-repo-go-binary ./...
- name: Sign artifact
uses: actions/attest-build-provenance@v1.0.0
uses: actions/attest-build-provenance@v1.4.1
with:
subject-path: '${{ github.workspace }}/demo-repo-go-binary'

Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/build-image-signed-ghat-malicious.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ jobs:
id-token: write
packages: write
contents: write
attestations: write

steps:
- name: Checkout repository
Expand All @@ -34,7 +35,7 @@ jobs:
context: .

- name: Attest image
uses: actions/attest-build-provenance@v1.0.0
uses: actions/attest-build-provenance@v1.4.1
with:
subject-name: ghcr.io/${{ github.repository }}
subject-digest: ${{ steps.push-step.outputs.digest }}
3 changes: 2 additions & 1 deletion .github/workflows/build-image-signed-ghat-static-copied.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ jobs:
id-token: write
packages: write
contents: write
attestations: write

steps:
- name: Checkout repository
Expand All @@ -31,7 +32,7 @@ jobs:
file : Dockerfile.static

- name: Attest image
uses: actions/attest-build-provenance@v1.0.0
uses: actions/attest-build-provenance@v1.4.1
with:
subject-name: ghcr.io/${{ github.repository }}
subject-digest: ${{ steps.push-step.outputs.digest }}
3 changes: 2 additions & 1 deletion .github/workflows/build-image-signed-ghat-static.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ jobs:
id-token: write
packages: write
contents: write
attestations: write

steps:
- name: Checkout repository
Expand All @@ -31,7 +32,7 @@ jobs:
file : Dockerfile.static

- name: Attest image
uses: actions/attest-build-provenance@v1.0.0
uses: actions/attest-build-provenance@v1.4.1
with:
subject-name: ghcr.io/${{ github.repository }}
subject-digest: ${{ steps.push-step.outputs.digest }}
3 changes: 2 additions & 1 deletion .github/workflows/build-image-signed-ghat.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ jobs:
id-token: write
packages: write
contents: write
attestations: write

steps:
- name: Checkout repository
Expand All @@ -30,7 +31,7 @@ jobs:
context: .

- name: Attest image
uses: actions/attest-build-provenance@v1.0.0
uses: actions/attest-build-provenance@v1.4.1
with:
subject-name: ghcr.io/${{ github.repository }}
subject-digest: ${{ steps.push-step.outputs.digest }}

0 comments on commit c2bb970

Please sign in to comment.