diff --git a/.github/workflows/docker-build-and-push.yml b/.github/workflows/docker-build-and-push.yml index 341bed3..d4f5251 100644 --- a/.github/workflows/docker-build-and-push.yml +++ b/.github/workflows/docker-build-and-push.yml @@ -65,6 +65,7 @@ on: jobs: build-and-push-image: permissions: + artifact-metadata: write attestations: write contents: read id-token: write @@ -81,24 +82,18 @@ jobs: disable-sudo: ${{ inputs.disable-sudo }} egress-policy: block allowed-endpoints: > + *.docker.io:443 *.githubapp.com:443 + *.githubusercontent.com:443 + *.sigstore.dev:443 *.trivy.dev:443 api.github.com:443 - auth.docker.io:443 + docker-images-prod.*.r2.cloudflarestorage.com:443 download.docker.com:443 - fulcio.sigstore.dev:443 ghcr.io:443 github.com:443 - index.docker.io:443 mirror.gcr.io:443 - objects.githubusercontent.com:443 - pkg-containers.githubusercontent.com:443 production.cloudflare.docker.com:443 - raw.githubusercontent.com:443 - registry-1.docker.io:443 - rekor.sigstore.dev:443 - release-assets.githubusercontent.com:443 - tuf-repo-cdn.sigstore.dev:443 ${{ inputs.egress-policy-allowlist }} - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -157,6 +152,7 @@ jobs: subject-name: ${{ inputs.registry }}/${{ inputs.image }} subject-digest: ${{ steps.build.outputs.digest }} push-to-registry: true + create-storage-record: ${{ startsWith(inputs.registry, 'ghcr.io') }} - name: Run Trivy Scan uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1 if: inputs.scan-image diff --git a/.github/workflows/local-auto-tagger-docker-bp.yml b/.github/workflows/local-auto-tagger-docker-bp.yml index 85061fd..2c184be 100644 --- a/.github/workflows/local-auto-tagger-docker-bp.yml +++ b/.github/workflows/local-auto-tagger-docker-bp.yml @@ -8,6 +8,7 @@ on: jobs: build-push-docker-image: permissions: + artifact-metadata: write attestations: write contents: read id-token: write