You're viewing an older version of this GitHub Action. Do you want to see the latest version instead?
GitHub Action
attest-sign
v1.3.3
This action generates an SBOM, attests and signs the image.
It assumes that you are already authenticated to the registry where attestations and signatures are uploaded.
env:
registry: "some.registry/images"
image: "myimage"
jobs:
build_push_sign:
runs-on: "ubuntu-latest"
steps:
- name: "Checkout"
...
- name: "Authenticate to Google Cloud"
...
- name: "Login to registry"
...
- name: "Docker metadata"
...
- name: "Build and push"
id: "build_push"
...
- name: "Attest and sign"
uses: 'nais/[email protected]'
with:
image_ref: ${{ env.registry }}/${{ env.image }}@${{ steps.build_push.outputs.digest }}
sbom: # By default, the SBOM is generated with Trivy from the image manifest. Can be overridden with a pre-generated SBOM.