Attach provenance and SBOM attestations to published docker container (#609)

JAORMX · web-flow · commit e9a04cc6bc49 · 2025-01-16T15:53:39.000+02:00
What the title says.

Signed-off-by: Juan Antonio Osorio &lt;ozz@stacklok.com&gt;
diff --git a/.github/workflows/image-publish.yml b/.github/workflows/image-publish.yml
@@ -81,6 +81,8 @@ jobs:
           context: .
           platforms: linux/amd64,linux/arm64
           push: true
+          provenance: mode=max
+          sbom: true
           tags: ${{ steps.docker-metadata.outputs.tags }}
           labels: ${{ steps.docker-metadata.outputs.labels }}
           cache-from: type=gha
