From 88503c6be016f201e18cd1bf4e31b024e7997dc4 Mon Sep 17 00:00:00 2001
From: Tim Smith <tim@mondoo.com>
Date: Wed, 24 Apr 2024 00:29:25 -0700
Subject: [PATCH] Push SBOM/Provenance data to Docker Hub (#451)

With this change we will have build data in the image manifest which can
be pulled by tools (like ours) or via the CLI with commands like `docker
buildx imagetools inspect mondoo/cnspec --format "{{json .Provenance}}"`

To see an example of what this data will look like pull this container
where I just made the same change

```
docker buildx imagetools inspect dokken/ubuntu-24.04 --format "{{json .Provenance}}"
```

Signed-off-by: Tim Smith <tsmith84@gmail.com>
---
 .github/workflows/build_container.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.github/workflows/build_container.yml b/.github/workflows/build_container.yml
index b9961ee3..a472d470 100644
--- a/.github/workflows/build_container.yml
+++ b/.github/workflows/build_container.yml
@@ -51,6 +51,8 @@ jobs:
       - name: Build and push root images
         uses: docker/build-push-action@v5
         with:
+          sbom: true
+          provenance: true
           context: .
           platforms: linux/amd64,linux/arm64
           push: true
@@ -69,6 +71,8 @@ jobs:
         continue-on-error: true
         uses: docker/build-push-action@v5
         with:
+          sbom: true
+          provenance: true
           context: .
           file: Dockerfile-dev
           platforms: linux/amd64,linux/arm64,linux/arm/v6,linux/arm/v7
@@ -83,6 +87,8 @@ jobs:
       - name: Build and push rootless images
         uses: docker/build-push-action@v5
         with:
+          sbom: true
+          provenance: true
           context: .
           platforms: linux/amd64,linux/arm64,linux/arm/v6,linux/arm/v7
           push: true
@@ -96,6 +102,8 @@ jobs:
       - name: Build and push root images (ubi)
         uses: docker/build-push-action@v5
         with:
+          sbom: true
+          provenance: true
           context: .
           file: Dockerfile-ubi
           platforms: linux/amd64,linux/arm64
@@ -110,6 +118,8 @@ jobs:
       - name: Build and push rootless images (ubi)
         uses: docker/build-push-action@v5
         with:
+          sbom: true
+          provenance: true
           context: .
           file: Dockerfile-ubi
           platforms: linux/amd64,linux/arm64