fix slsa provenance

Author: fontebasso

.github/workflows/docker-image-release.yml

@@ -8,9 +8,10 @@ on:
 permissions:
   id-token: write
   contents: read
+  packages: write
 
 jobs:
-  build:
+  build-images:
     strategy:
       matrix:
         arch: [amd64, arm64]
@@ -42,20 +43,23 @@ jobs:
         with:
           install: true
 
-      - name: Build and push image with provenance for ${{ matrix.arch }}
+      - name: Build and push image for ${{ matrix.arch }}
         uses: docker/build-push-action@v6
         with:
           context: .
           platforms: linux/${{ matrix.arch }}
           tags: fontebasso/php-nginx:${{ steps.version.outputs.tag }}-${{ matrix.arch }}
           push: true
-          provenance: true
+          provenance: false
           build-args: |
             VERSION=${{ steps.version.outputs.tag }}
 
-  merge:
-    needs: build
+  merge-multiarch:
+    name: Merge Multi-Arch Image and Sign
+    needs: build-images
     runs-on: ubuntu-latest
+    outputs:
+      digest: ${{ steps.push.outputs.digest }}
     steps:
       - name: Extract release version
         run: echo "RELEASE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
@@ -66,29 +70,37 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Merge multi-arch image
+      - name: Merge multi-arch image and get digest
+        id: push
         run: |
           docker buildx imagetools create \
             --tag fontebasso/php-nginx:${RELEASE_VERSION} \
             --tag fontebasso/php-nginx:latest \
             fontebasso/php-nginx:${RELEASE_VERSION}-amd64 \
             fontebasso/php-nginx:${RELEASE_VERSION}-arm64
 
+          digest=$(docker buildx imagetools inspect fontebasso/php-nginx:${RELEASE_VERSION} --format '{{.Digest}}')
+          echo "digest=$digest"
+          echo "digest=$digest" >> "$GITHUB_OUTPUT"
+
       - name: Install Cosign
         uses: sigstore/[email protected]
 
-      - name: Sign image using GitHub OIDC
+      - name: Sign image by digest (OIDC keyless)
         env:
           COSIGN_EXPERIMENTAL: "1"
         run: |
-          cosign sign --yes docker.io/fontebasso/php-nginx:${RELEASE_VERSION}
-          cosign sign --yes docker.io/fontebasso/php-nginx:latest
+          cosign sign --yes docker.io/fontebasso/php-nginx@${{ steps.push.outputs.digest }}
 
-      - name: Generate and attach SLSA Provenance
-        run: |
-          cosign attest --yes \
-            --type=provenance \
-            docker.io/fontebasso/php-nginx:${RELEASE_VERSION}
-          cosign attest --yes \
-            --type=provenance \
-            docker.io/fontebasso/php-nginx:latest
+  generate-provenance:
+    name: Generate SLSA Provenance v1.1
+    needs: merge-multiarch
+    if: startsWith(github.ref, 'refs/tags/')
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      image: docker.io/fontebasso/php-nginx
+      digest: ${{ needs.merge-multiarch.outputs.digest }}
+    permissions:
+      id-token: write
+      contents: read
+      packages: write

README.md

@@ -3,7 +3,7 @@
 [![Docker Build](https://github.com/fontebasso/docker-php-nginx/workflows/docker/badge.svg)](https://github.com/fontebasso/docker-php-nginx/actions?query=workflow%3Adocker)
 [![Docker Pulls](https://img.shields.io/docker/pulls/fontebasso/php-nginx)](https://hub.docker.com/r/fontebasso/php-nginx)
 [![Signed with Sigstore](https://img.shields.io/badge/sigstore-signed-blue?logo=sigstore)](https://www.sigstore.dev)
-[![Provenance Verified](https://img.shields.io/badge/provenance-SLSA%20v1.0-brightgreen)](https://github.com/sigstore/cosign)
+[![SLSA Provenance](https://img.shields.io/badge/provenance-SLSA%20v1.1-brightgreen)](https://slsa.dev/spec/v1.1)
 [![GitHub License](https://img.shields.io/github/license/fontebasso/docker-php-nginx)](https://github.com/fontebasso/docker-php-nginx/blob/main/LICENSE)
 
 This repository contains a Docker image for running high-performance PHP web applications. It is optimized for speed, efficiency, and includes a comprehensive set of tools and libraries commonly used in web development.
@@ -16,7 +16,7 @@ This repository contains a Docker image for running high-performance PHP web app
 This image is:
 
 - ✅ Signed with [Sigstore Cosign](https://docs.sigstore.dev)
-- ✅ Provenance generated in the [SLSA v1.0](https://slsa.dev/spec/v1.0/provenance)
+- ✅ Provenance generated in the [SLSA v1.1](https://slsa.dev/spec/v1.1/provenance)
 - ✅ Compatible with verification using `cosign verify` and `cosign verify-attestation`
 
 To verify the image and its provenance (example):