testing provenance and sbom of the build-push-action

Author: fontebasso

.github/workflows/release.yml

@@ -50,7 +50,9 @@ jobs:
           platforms: linux/${{ matrix.arch }}
           tags: fontebasso/php-nginx:${{ steps.version.outputs.tag }}-${{ matrix.arch }}
           push: true
-          provenance: false
+          provenance: true
+          attests: true
+          sbom: true
           build-args: |
             VERSION=${{ steps.version.outputs.tag }}
 
@@ -91,107 +93,3 @@ jobs:
           COSIGN_EXPERIMENTAL: "1"
         run: |
           cosign sign --yes docker.io/fontebasso/php-nginx@${{ steps.push.outputs.digest }}
-
-  attach-sbom:
-    name: Generate and Attach SBOM
-    needs: merge-multiarch
-    runs-on: ubuntu-latest
-    steps:
-      - name: Install Syft
-        uses: anchore/sbom-action/[email protected]
-
-      - name: Install Cosign
-        uses: sigstore/[email protected]
-
-      - name: Log in to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Generate SBOM (Syft JSON)
-        run: |
-          syft docker.io/fontebasso/php-nginx@${{ needs.merge-multiarch.outputs.digest }} \
-            -o spdx-json > sbom.spdx.json
-
-      - name: Attest SBOM
-        run: |
-          cosign attest \
-            --yes \
-            --type spdx \
-            --predicate sbom.spdx.json \
-            docker.io/fontebasso/php-nginx@${{ needs.merge-multiarch.outputs.digest }}
-
-      - name: Upload SBOM artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: 'sbom'
-          path: sbom.spdx.json
-
-      - name: Sign SBOM
-        env:
-          COSIGN_EXPERIMENTAL: "1"
-        run: |
-          cosign sign --yes \
-            --attachment sbom \
-            docker.io/fontebasso/php-nginx@${{ needs.merge-multiarch.outputs.digest }}
-
-  generate-provenance:
-    name: Generate SLSA Provenance
-    needs: merge-multiarch
-    if: startsWith(github.ref, 'refs/tags/')
-    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
-    with:
-      image: docker.io/fontebasso/php-nginx
-      digest: ${{ needs.merge-multiarch.outputs.digest }}
-    secrets:
-      registry-username: ${{ secrets.DOCKERHUB_USERNAME }}
-      registry-password: ${{ secrets.DOCKERHUB_TOKEN }}
-    permissions:
-      packages: write
-      id-token: write
-      contents: read
-      actions: read
-
-  publish-assets:
-    name: Publish SBOM and Provenance to Release
-    needs: [ attach-sbom, generate-provenance, merge-multiarch ]
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-    steps:
-      - name: Extract release version
-        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
-
-      - name: Install Cosign
-        uses: sigstore/[email protected]
-
-      - name: Download provenance from registry
-        run: |
-          cosign download attestation \
-            docker.io/fontebasso/php-nginx@${{ needs.merge-multiarch.outputs.digest }} \
-            --output-file provenance.intoto.jsonl
-
-      - name: Download SBOM artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: 'sbom'
-
-      - name: Save digest to file
-        run: echo "${{ needs.merge-multiarch.outputs.digest }}" > digest.txt
-
-      - name: Generate checksums
-        run: |
-          sha256sum \
-            provenance.intoto.jsonl \
-            sbom.spdx.json \
-            digest.txt > checksums.txt
-
-      - name: Upload release assets
-        uses: softprops/action-gh-release@v2
-        with:
-          files: |
-            provenance.intoto.jsonl
-            sbom.spdx.json
-            digest.txt
-            checksums.txt