Merge pull request #19 from stacklok/update_att_upstream

Bump GH attestations and fix permissions
stacklok · Aug 15, 2024 · d2f018a · d2f018a
2 parents f62f0da + c303b0b
commit d2f018a
Show file tree

Hide file tree

Showing 6 changed files with 16 additions and 8 deletions.
diff --git a/.github/workflows/build-binary-signed-ghat-malicious.yml b/.github/workflows/build-binary-signed-ghat-malicious.yml
@@ -9,6 +9,8 @@ jobs:
       id-token: write
       packages: write
       contents: write
+      attestations: write
+
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
@@ -25,7 +27,7 @@ jobs:
 #          ...
 #
 #      - name: Sign artifact
-#        uses: actions/attest-build-provenance@v1.0.0
+#        uses: actions/attest-build-provenance@v1.4.1
 #        with:
 #          subject-path: '${{ github.workspace }}/demo-repo-go-binary'
 #

diff --git a/.github/workflows/build-binary-signed-ghat.yml b/.github/workflows/build-binary-signed-ghat.yml
@@ -9,6 +9,8 @@ jobs:
       id-token: write
       packages: write
       contents: write
+      attestations: write
+
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
@@ -21,7 +23,7 @@ jobs:
 #          ...
 #
 #      - name: Sign artifact
-#        uses: actions/attest-build-provenance@v1.0.0
+#        uses: actions/attest-build-provenance@v1.4.1
 #        with:
 #          subject-path: '${{ github.workspace }}/demo-repo-go-binary'
 #

diff --git a/.github/workflows/build-image-signed-ghat-malicious.yml b/.github/workflows/build-image-signed-ghat-malicious.yml
@@ -9,6 +9,7 @@ jobs:
       id-token: write
       packages: write
       contents: write
+      attestations: write
 
     steps:
       - name: Checkout repository
@@ -34,8 +35,8 @@ jobs:
           context: .
 
       - name: Attest image
-        uses: actions/attest-build-provenance@v1.0.0
+        uses: actions/attest-build-provenance@v1.4.1
         with:
           subject-name: ghcr.io/${{ github.repository }}
           subject-digest: ${{ steps.push-step.outputs.digest }}
-          push-to-registry: true
+          push-to-registry: true
diff --git a/.github/workflows/build-image-signed-ghat-static-copied.yml b/.github/workflows/build-image-signed-ghat-static-copied.yml
@@ -9,6 +9,7 @@ jobs:
       id-token: write
       packages: write
       contents: write
+      attestations: write
 
     steps:
       - name: Checkout repository
@@ -31,7 +32,7 @@ jobs:
           file : Dockerfile.static
 
       - name: Attest image
-        uses: actions/attest-build-provenance@v1.0.0
+        uses: actions/attest-build-provenance@v1.4.1
         with:
           subject-name: ghcr.io/${{ github.repository }}
           subject-digest: ${{ steps.push-step.outputs.digest }}

diff --git a/.github/workflows/build-image-signed-ghat-static.yml b/.github/workflows/build-image-signed-ghat-static.yml
@@ -9,6 +9,7 @@ jobs:
       id-token: write
       packages: write
       contents: write
+      attestations: write
 
     steps:
       - name: Checkout repository
@@ -31,7 +32,7 @@ jobs:
           file : Dockerfile.static
 
       - name: Attest image
-        uses: actions/attest-build-provenance@v1.0.0
+        uses: actions/attest-build-provenance@v1.4.1
         with:
           subject-name: ghcr.io/${{ github.repository }}
           subject-digest: ${{ steps.push-step.outputs.digest }}

diff --git a/.github/workflows/build-image-signed-ghat.yml b/.github/workflows/build-image-signed-ghat.yml
@@ -9,6 +9,7 @@ jobs:
       id-token: write
       packages: write
       contents: write
+      attestations: write
 
     steps:
       - name: Checkout repository
@@ -30,8 +31,8 @@ jobs:
           context: .
 
       - name: Attest image
-        uses: actions/attest-build-provenance@v1.0.0
+        uses: actions/attest-build-provenance@v1.4.1
         with:
           subject-name: ghcr.io/${{ github.repository }}
           subject-digest: ${{ steps.push-step.outputs.digest }}
-          push-to-registry: true
+          push-to-registry: true