add cli container provenance (#334)

spencerschrock · web-flow · commit 6b79300f1310 · 2024-12-12T00:17:43.000-08:00
* generate cli container provenance

Signed-off-by: Spencer Schrock &lt;sschrock@google.com&gt;

* tag the cli container with the release tag

Signed-off-by: Spencer Schrock &lt;sschrock@google.com&gt;

---------

Signed-off-by: Spencer Schrock &lt;sschrock@google.com&gt;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -73,7 +73,7 @@ jobs:
           containerfiles: |
             ./Containerfile
           image: ghcr.io/sigstore/model-transparency-cli
-          tags: latest
+          tags: "latest ${{ github.event.release.tag_name }}"
           archs: amd64
           oci: false
 
@@ -99,6 +99,13 @@ jobs:
           tags: ${{ steps.build_image.outputs.tags }}
           registry: ghcr.io
 
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
+        with:
+          subject-name: ghcr.io/sigstore/model-transparency-cli
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
+
   # TODO: Create and publish release notes
   # TODO: Generate SLSA provenance for the wheels
   # TODO: Sign artifacts with sigstore and publish to release page
