add-artifact-attestations-to-workflow
Add Artifact Attestations to Workflow
Add SLSA build-provenance attestations to existing GitHub Actions workflows for Docker container images.
Steps
-
Find existing workflow files in
.github/workflows/that containdocker/build-push-actionor similar steps. Note that composite actions may be used — read both the composite action and the calling workflow simultaneously. -
Enable OIDC & Attestations permissions In each workflow's top-level
permissions:block, grant both the OIDC token and attestations write privileges:permissions: id-token: write attestations: write contents: read # (existing) packages: write # (existing) -
Log in to container registries Ensure authentication steps exist for each registry you'll attest against. Judge whether there are omissions based on the implemented content, rather than always logging into all registries.
- name: Login to GHCR uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Docker Hub uses: docker/login-action@v3 with: registry: index.docker.io username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to Quay uses: docker/login-action@v3 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_TOKEN }} -
Build & push image, capturing the digest Use
docker/build-push-action@v*with anidto reference its output. Judge tags based on implemented content.- name: Build and push image id: build_push uses: docker/build-push-action@v5 with: context: . push: true tags: | ghcr.io/${{ github.repository }}:latest index.docker.io/${{ secrets.DOCKERHUB_USERNAME }}/your-repo:latest quay.io/${{ github.repository_owner }}/your-repo:latest -
Add attestation steps After the
build_pushstep, insert oneactions/attest-build-provenance@v3invocation per registry. Thesubject-nameis the full image name without a tag. Thesubject-digestcomes from the build step's output. Judge which registries to use based on implemented content.- name: Attest GHCR image uses: actions/attest-build-provenance@v3 with: subject-name: ghcr.io/${{ github.repository }} subject-digest: ${{ steps.build_push.outputs.digest }} - name: Attest Docker Hub image uses: actions/attest-build-provenance@v3 with: subject-name: index.docker.io/${{ secrets.DOCKERHUB_USERNAME }}/your-repo subject-digest: ${{ steps.build_push.outputs.digest }} - name: Attest Quay image uses: actions/attest-build-provenance@v3 with: subject-name: quay.io/${{ github.repository_owner }}/your-repo subject-digest: ${{ steps.build_push.outputs.digest }} -
Commit changes Write the git commit message in English.
git add .github/workflows/docker_publish.yml # or whatever files you modified git commit --signoff -m "ci: add build-provenance attestations for container images" -
Ask the user to push Tell the user to manually push the changes and verify attestations are created successfully. DO NOT perform a git push.
More from jim60105/copilot-prompt
chinese-content-writing-guideline
>-
234docx
Use this skill whenever the user wants to create, read, edit, or manipulate Word documents (.docx files). Triggers include: any mention of 'Word doc', 'word document', '.docx', or requests to produce professional documents with formatting like tables of contents, headings, page numbers, or letterheads. Also use when extracting or reorganizing content from .docx files, inserting or replacing images in documents, performing find-and-replace in Word files, working with tracked changes or comments, or converting content into a polished Word document. If the user asks for a 'report', 'memo', 'letter', 'template', or similar deliverable as a Word or .docx file, use this skill. Do NOT use for PDFs, spreadsheets, Google Docs, or general coding tasks unrelated to document generation.
140pdf
Use this skill whenever the user wants to do anything with PDF files. This includes reading or extracting text/tables from PDFs, combining or merging multiple PDFs into one, splitting PDFs apart, rotating pages, adding watermarks, creating new PDFs, filling PDF forms, encrypting/decrypting PDFs, extracting images, and OCR on scanned PDFs to make them searchable. If the user mentions a .pdf file or asks to produce one, use this skill.
84rewrite-meeting-audio-transcription
Rewrite raw meeting audio transcriptions into clean, accurate meeting minutes in Traditional Chinese. Use when the user has an unprocessed audio transcription file with recognition errors and needs it cleaned up into proper meeting minutes.
26create-copilot-instructions
Create `AGENTS.md` file for a project. Use when the user wants to set up custom instructions, configure AI coding assistant behavior, or create project-specific coding guidelines for AI agents.
14drawio-diagrams-enhanced
This skill should be used when the user asks to "create a diagram", "draw a flowchart", "make a swimlane diagram", "create WBS", "generate RACI matrix", "build network diagram", "create org chart", or mentions draw.io, diagrams.net, BPMN, UML, Gantt, PERT, or project management diagrams. Integrates with next-ai-draw-io MCP server for real-time diagram creation and editing.
14