You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Adds a new GitHub Actions workflow that builds, pushes, and generates build-provenance attestations for a container image in GitHub Container Registry whenever changes are pushed to the main branch.
Flow diagram for the build-attested-image GitHub Actions workflow
flowchart TD
A["Push to 'main' branch"] --> B["Start 'build-attested-image' workflow"]
B --> C["Provision 'ubuntu-latest' runner with required permissions"]
C --> D["Set env: REGISTRY=ghcr.io, IMAGE_NAME=github.repository"]
D --> E["Checkout source code (actions/checkout@v4)"]
E --> F["Login to GHCR (docker/login-action@v3) using GITHUB_TOKEN"]
F --> G["Build and push container image (docker/build-push-action@v5.0.0) with tag REGISTRY/IMAGE_NAME:latest"]
G --> H["Capture pushed image digest from step 'push' outputs"]
H --> I["Generate build-provenance attestation (actions/attest-build-provenance@v1)"]
I --> J["Attach and push attestation to GHCR for image REGISTRY/IMAGE_NAME at subject-digest"]
J --> K["Workflow completed with attested image in GHCR"]
Loading
File-Level Changes
Change
Details
Files
Introduce a CI workflow to build, push, and attest a container image to GitHub Container Registry on main branch pushes.
Create a build-attested-image workflow triggered on pushes to the main branch
Configure job permissions for OIDC, packages, contents, and attestations to support image publishing and provenance generation
Set registry and image name environment variables based on ghcr.io and the current repository
Check out the repository source code as the build context
Authenticate to GitHub Container Registry using docker/login-action with GITHUB_TOKEN credentials
Build and push a Docker image tagged as :latest using docker/build-push-action and expose the resulting image digest
Generate and push a build-provenance attestation for the built image using actions/attest-build-provenance with the pushed image digest
.github/workflows/build-attested-image.yml
Tips and commands
Interacting with Sourcery
Trigger a new review: Comment @sourcery-ai review on the pull request.
Continue discussions: Reply directly to Sourcery's review comments.
Generate a GitHub issue from a review comment: Ask Sourcery to create an
issue from a review comment by replying to it. You can also reply to a
review comment with @sourcery-ai issue to create an issue from it.
Generate a pull request title: Write @sourcery-ai anywhere in the pull
request title to generate a title at any time. You can also comment @sourcery-ai title on the pull request to (re-)generate the title at any time.
Generate a pull request summary: Write @sourcery-ai summary anywhere in
the pull request body to generate a PR summary at any time exactly where you
want it. You can also comment @sourcery-ai summary on the pull request to
(re-)generate the summary at any time.
Generate reviewer's guide: Comment @sourcery-ai guide on the pull
request to (re-)generate the reviewer's guide at any time.
Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
pull request to resolve all Sourcery comments. Useful if you've already
addressed all the comments and don't want to see them anymore.
Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
request to dismiss all existing Sourcery reviews. Especially useful if you
want to start fresh with a new review - don't forget to comment @sourcery-ai review to trigger a new review!
Reviewer's Guide
Adds a new GitHub Actions workflow that builds, pushes, and generates build-provenance attestations for a container image in GitHub Container Registry whenever changes are pushed to the main branch.
Flow diagram for the build-attested-image GitHub Actions workflow
File-Level Changes
.github/workflows/build-attested-image.ymlTips and commands
Interacting with Sourcery
@sourcery-ai reviewon the pull request.issue from a review comment by replying to it. You can also reply to a
review comment with
@sourcery-ai issueto create an issue from it.@sourcery-aianywhere in the pullrequest title to generate a title at any time. You can also comment
@sourcery-ai titleon the pull request to (re-)generate the title at any time.@sourcery-ai summaryanywhere inthe pull request body to generate a PR summary at any time exactly where you
want it. You can also comment
@sourcery-ai summaryon the pull request to(re-)generate the summary at any time.
@sourcery-ai guideon the pullrequest to (re-)generate the reviewer's guide at any time.
@sourcery-ai resolveon thepull request to resolve all Sourcery comments. Useful if you've already
addressed all the comments and don't want to see them anymore.
@sourcery-ai dismisson the pullrequest to dismiss all existing Sourcery reviews. Especially useful if you
want to start fresh with a new review - don't forget to comment
@sourcery-ai reviewto trigger a new review!Customizing Your Experience
Access your dashboard to:
summary, the reviewer's guide, and others.
Getting Help
Originally posted by @sourcery-ai[bot] in #217 (comment)