feat: artifact attestation

.github/workflows/deploy.yaml

@@ -160,6 +160,8 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
+      attestations: write
 
     # Build steps
     steps:
@@ -231,11 +233,13 @@ jobs:
 
           # Set full image name
           full_names="${{ env.REGISTRY }}/${{ github.repository_owner }}/${image_name}:${tag}"
+          attestation_image_name="${{ env.REGISTRY }}/${{ github.repository_owner }}/${image_name}"
+          echo "ATTESTATION_IMAGE_NAME=${attestation_image_name}" >> $GITHUB_OUTPUT
           echo "OUTPUT_IMAGE_NAME=${full_names}" >> $GITHUB_OUTPUT
-          if [ "${tag_latest}" == "true" ]
-          then
-            full_names="$full_names,${{ env.REGISTRY }}/${{ github.repository_owner }}/${image_name}:latest"
-          fi
+          # if [ "${tag_latest}" == "true" ]
+          # then
+          #   full_names="$full_names,${{ env.REGISTRY }}/${{ github.repository_owner }}/${image_name}:latest"
+          # fi
           if [ "${image_name}" == "rstudio-local_${{ needs.normalize-inputs.outputs.latest_r_version }}_bioc_${{ needs.normalize-inputs.outputs.latest_bioc_version }}" ] \
             || [ "${image_name}" == "rstudio_${{ needs.normalize-inputs.outputs.latest_r_version }}_bioc_${{ needs.normalize-inputs.outputs.latest_bioc_version }}" ]
           then
@@ -256,6 +260,7 @@ jobs:
           echo "SBOM_OUTPUT_FILENAME=$GITHUB_WORKSPACE/sbom.json" >> $GITHUB_OUTPUT
 
       - name: Build and push image 🏗
+        id: push-image
         uses: docker/build-push-action@v5
         with:
           context: ./
@@ -296,6 +301,21 @@ jobs:
           output-file: "${{ steps.build_vars.outputs.SBOM_OUTPUT_FILENAME }}"
           artifact-name: "sbom.spdx"
 
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ${{ steps.build_vars.outputs.ATTESTATION_IMAGE_NAME }}
+          subject-digest: ${{ steps.push-image.outputs.digest }}
+          push-to-registry: true
+
+      - name: Generate SBOM attestation
+        uses: actions/attest-sbom@v1
+        with:
+          subject-name: ${{ steps.build_vars.outputs.ATTESTATION_IMAGE_NAME }}
+          subject-digest: ${{ steps.push-image.outputs.digest }}
+          sbom-path: ${{ steps.build_vars.outputs.SBOM_OUTPUT_FILENAME }}
+          push-to-registry: true
+
       - name: Upload image manifest to release 🔼
         uses: svenstaro/upload-release-action@v2
         if: "${{ needs.normalize-inputs.outputs.release_tag }} != ''"

.github/workflows/scheduled.yaml

@@ -36,42 +36,42 @@ jobs:
     strategy:
       matrix:
         image:
-          - distro_tag: '4.4.0'
-            bioc: '3.19'
-            distro: rstudio-local
-            origin: rocker
+          # - distro_tag: '4.4.0'
+          #   bioc: '3.19'
+          #   distro: rstudio-local
+          #   origin: rocker
           - distro_tag: '4.4.0'
             bioc: '3.19'
             distro: rstudio
             origin: rocker
-          - distro_tag: 'latest'
-            bioc: 'devel'
-            distro: gcc13
-            origin: rhub
-          - distro_tag: 'latest'
-            bioc: 'devel'
-            distro: gcc14
-            origin: rhub
-          - distro_tag: 'latest'
-            bioc: 'devel'
-            distro: atlas
-            origin: rhub
-          - distro_tag: 'latest'
-            bioc: 'devel'
-            distro: valgrind
-            origin: rhub
-          - distro_tag: 'latest'
-            bioc: 'devel'
-            distro: intel
-            origin: rhub
-          - distro_tag: 'latest'
-            bioc: 'devel'
-            distro: nosuggests
-            origin: rhub
-          - distro_tag: 'latest'
-            bioc: 'devel'
-            distro: mkl
-            origin: rhub
+          # - distro_tag: 'latest'
+          #   bioc: 'devel'
+          #   distro: gcc13
+          #   origin: rhub
+          # - distro_tag: 'latest'
+          #   bioc: 'devel'
+          #   distro: gcc14
+          #   origin: rhub
+          # - distro_tag: 'latest'
+          #   bioc: 'devel'
+          #   distro: atlas
+          #   origin: rhub
+          # - distro_tag: 'latest'
+          #   bioc: 'devel'
+          #   distro: valgrind
+          #   origin: rhub
+          # - distro_tag: 'latest'
+          #   bioc: 'devel'
+          #   distro: intel
+          #   origin: rhub
+          # - distro_tag: 'latest'
+          #   bioc: 'devel'
+          #   distro: nosuggests
+          #   origin: rhub
+          # - distro_tag: 'latest'
+          #   bioc: 'devel'
+          #   distro: mkl
+          #   origin: rhub
 
     # Trigger steps
     steps:
@@ -94,6 +94,6 @@ jobs:
               "latest_r_version": "4.4.0",
               "latest_bioc_version": "3.19",
               "tag": "",
-              "tag_latest": "true",
+              "tag_latest": "false",
               "release_tag": "${{ needs.create-release.outputs.release_tag }}"
             }