attest-docker.yml
Generate and attach security attestations (SLSA provenance and/or SBOM) to an already-built Docker image. Designed to run after build-docker.yml.
Inputs
| Input | Type | Description | Required | Default |
|---|---|---|---|---|
| IMAGE_NAME | string | Full image name including registry and path (e.g. ghcr.io/my-org/my-image). Normalized automatically. | Yes | - |
| DIGEST | string | Digest of the image to attest (e.g. sha256:abc123...). Use the digest output of build-docker.yml. | Yes | - |
| PROVENANCE | boolean | Generate a SLSA provenance attestation for the image | No | false |
| SBOM | boolean | Generate an SBOM (Software Bill of Materials) attestation for the image | No | false |
| RUNS_ON | string | Runner labels as JSON array (e.g., '["ubuntu-24.04"]' or '["self-hosted", "linux"]') | No | ["ubuntu-24.04"] |
Secrets
| Secret | Description | Required |
|---|---|---|
| REGISTRY_USERNAME | Username used to login into registry (not needed for ghcr.io) | No |
| REGISTRY_PASSWORD | Password used to login into registry (not needed for ghcr.io) | No |
Permissions
| Scope | Access | Description |
|---|---|---|
| packages | write | Push attestations to the registry |
| id-token | write | Required to sign attestations via OIDC |
| attestations | write | Required to create GitHub attestations |
Notes
- This workflow is designed to be called after
build-docker.yml, using itsdigestandimageoutputs. - At least one of
PROVENANCEorSBOMmust betruefor the job to perform a useful action. - SLSA Provenance: generates an attestation conforming to SLSA level 3, attached to the image in the registry.
- SBOM: generates an SPDX SBOM via Trivy, then attests and attaches it to the image in the registry.
- The image name is automatically normalized (lowercase,
_replaced with-) for OCI registry compatibility. - For
ghcr.io, authentication usesgithub.tokenautomatically; for other registries, provideREGISTRY_USERNAMEandREGISTRY_PASSWORDas secrets. - Alternative: when using
build-docker.ymlin a matrix strategy, outputs from individual matrix jobs cannot be easily forwarded to this workflow. In that case, prefer enablingPROVENANCEand/orSBOMdirectly inbuild-docker.ymlinstead — each matrix job will attest its own image automatically.
Examples
After a build with provenance and SBOM
yaml
jobs:
build:
uses: this-is-tobi/github-workflows/.github/workflows/build-docker.yml@v0
permissions:
packages: write
contents: read
with:
IMAGE_NAME: ghcr.io/my-org/my-app
IMAGE_TAG: ${{ needs.release.outputs.version }}
IMAGE_CONTEXT: ./
IMAGE_DOCKERFILE: ./Dockerfile
LATEST_TAG: true
attest:
uses: this-is-tobi/github-workflows/.github/workflows/attest-docker.yml@v0
needs:
- build
permissions:
packages: write
id-token: write
attestations: write
with:
IMAGE_NAME: ${{ needs.build.outputs.image }}
DIGEST: ${{ needs.build.outputs.digest }}
PROVENANCE: true
SBOM: trueProvenance only
yaml
jobs:
attest:
uses: this-is-tobi/github-workflows/.github/workflows/attest-docker.yml@v0
needs:
- build
permissions:
packages: write
id-token: write
attestations: write
with:
IMAGE_NAME: ${{ needs.build.outputs.image }}
DIGEST: ${{ needs.build.outputs.digest }}
PROVENANCE: trueWith a custom registry
yaml
jobs:
attest:
uses: this-is-tobi/github-workflows/.github/workflows/attest-docker.yml@v0
needs:
- build
permissions:
packages: write
id-token: write
attestations: write
with:
IMAGE_NAME: docker.io/my-org/my-image
DIGEST: ${{ needs.build.outputs.digest }}
PROVENANCE: true
SBOM: true
secrets:
REGISTRY_USERNAME: ${{ secrets.DOCKER_USERNAME }}
REGISTRY_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}