Create build-attested-image.yml

[Dargon789]

Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly:

• Make sure to open an issue as a bug/issue before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea
• Ensure the tests and linter pass
• Code coverage does not decrease (if any source code was changed)
• Appropriate docs were updated (if necessary)

Fixes #<issue_number_goes_here> 🦕

Summary by Sourcery

CI:

• Introduce a build-attested-image workflow that builds and pushes a Docker image to GitHub Container Registry and generates build provenance attestations.

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[sourcery-ai]

Reviewer's Guide

Adds a new GitHub Actions workflow that builds, pushes, and generates build-provenance attestations for a container image in GitHub Container Registry whenever changes are pushed to the main branch.

Flow diagram for the build-attested-image GitHub Actions workflow

flowchart TD
  A["Push to 'main' branch"] --> B["Start 'build-attested-image' workflow"]
  B --> C["Provision 'ubuntu-latest' runner with required permissions"]
  C --> D["Set env: REGISTRY=ghcr.io, IMAGE_NAME=github.repository"]
  D --> E["Checkout source code (actions/checkout@v4)"]
  E --> F["Login to GHCR (docker/login-action@v3) using GITHUB_TOKEN"]
  F --> G["Build and push container image (docker/build-push-action@v5.0.0) with tag REGISTRY/IMAGE_NAME:latest"]
  G --> H["Capture pushed image digest from step 'push' outputs"]
  H --> I["Generate build-provenance attestation (actions/attest-build-provenance@v1)"]
  I --> J["Attach and push attestation to GHCR for image REGISTRY/IMAGE_NAME at subject-digest"]
  J --> K["Workflow completed with attested image in GHCR"]

Loading

File-Level Changes

Change	Details	Files
Introduce a CI workflow to build, push, and attest a container image to GitHub Container Registry on main branch pushes.	Create a build-attested-image workflow triggered on pushes to the main branch Configure job permissions for OIDC, packages, contents, and attestations to support image publishing and provenance generation Set registry and image name environment variables based on ghcr.io and the current repository Check out the repository source code as the build context Authenticate to GitHub Container Registry using docker/login-action with GITHUB_TOKEN credentials Build and push a Docker image tagged as :latest using docker/build-push-action and expose the resulting image digest Generate and push a build-provenance attestation for the built image using actions/attest-build-provenance with the pushed image digest	.github/workflows/build-attested-image.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• Consider tagging the pushed image with a deterministic value (e.g., the commit SHA or release/tag name) in addition to :latest so that builds are traceable and reproducible across commits.
• You may want to restrict the workflow trigger (e.g., using paths filters or additional conditions) so this image build only runs when relevant files like the Dockerfile or application code change, avoiding unnecessary builds on unrelated pushes.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider tagging the pushed image with a deterministic value (e.g., the commit SHA or release/tag name) in addition to `:latest` so that builds are traceable and reproducible across commits.
- You may want to restrict the workflow trigger (e.g., using `paths` filters or additional conditions) so this image build only runs when relevant files like the Dockerfile or application code change, avoiding unnecessary builds on unrelated pushes.

## Individual Comments

### Comment 1
<location> `.github/workflows/build-attested-image.yml:28-34` </location>
<code_context>
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push image
+        id: push
+        uses: docker/build-push-action@v5.0.0
+        with:
+          context: .
+          push: true
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+      - name: Attest
+        uses: actions/attest-build-provenance@v1
</code_context>

<issue_to_address>
**suggestion:** Consider tagging images with an immutable identifier in addition to `latest` to avoid ambiguity and rollout issues.

Because `latest` is mutable, it will point to different images over time, which complicates rollbacks and provenance tracking. To keep `latest` for convenience while also having a stable reference, please add an immutable tag (e.g., Git SHA or version) alongside it, for example:

- `tags: |
    ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
    ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}`

```suggestion
      - name: Build and push image
        id: push
        uses: docker/build-push-action@v5.0.0
        with:
          context: .
          push: true
          tags: |
            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
```
</issue_to_address>

### Comment 2
<location> `.github/workflows/build-attested-image.yml:35-39` </location>
<code_context>
+          context: .
+          push: true
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+      - name: Attest
+        uses: actions/attest-build-provenance@v1
+        id: attest
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
</code_context>

<issue_to_address>
**suggestion:** Align attestation subject with the exact image reference (including tag) to avoid ambiguity.

The attestation uses `subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}` while the image is pushed as `.../${{ env.IMAGE_NAME }}:latest`. Please include the tag in `subject-name` so the attestation unambiguously matches the pushed image, for example:

- `subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest`

If you later use immutable tags, mirror those here instead.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}