From 7cac3d600f50bcb993ef45002717bdf8756ccea6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D7=A0=CF=85=CE=B1=CE=B7=20=D7=A0=CF=85=CE=B1=CE=B7=D1=95?=
 =?UTF-8?q?=CF=83=CE=B7?= <john@dewey.ws>
Date: Sun, 15 Mar 2026 21:19:58 -0700
Subject: [PATCH] feat: add GitHub native attestations for SBOM and provenance
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add attest-build-provenance and attest-sbom steps to docker
publish workflow. These show up on the GitHub package page.
Replace deprecated cosign download sbom with gh attestation
verify in docs. Point cosign and SBOM badges to package page.

🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
---
 .github/workflows/docker-publish.yml | 22 +++++++++++++++++++++-
 README.md                            |  4 ++--
 docs/docs/sidebar/intro.md           |  7 +++++--
 3 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index ae33b690..e7f79d27 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -9,6 +9,7 @@ permissions:
   contents: read
   packages: write
   id-token: write
+  attestations: write
 
 jobs:
   publish:
@@ -51,7 +52,6 @@ jobs:
           push: true
           platforms: linux/amd64,linux/arm64
           tags: ghcr.io/${{ github.repository }}:latest
-          sbom: true
 
       - name: Install cosign
         uses: sigstore/cosign-installer@v3
@@ -60,3 +60,23 @@ jobs:
         env:
           DIGEST: ${{ steps.build.outputs.digest }}
         run: cosign sign --yes ghcr.io/${{ github.repository }}@${DIGEST}
+
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ghcr.io/${{ github.repository }}
+          subject-digest: ${{ steps.build.outputs.digest }}
+
+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          image: ghcr.io/${{ github.repository }}@${{ steps.build.outputs.digest }}
+          output-file: sbom.spdx.json
+          format: spdx-json
+
+      - name: Attest SBOM
+        uses: actions/attest-sbom@v2
+        with:
+          subject-name: ghcr.io/${{ github.repository }}
+          subject-digest: ${{ steps.build.outputs.digest }}
+          sbom-path: sbom.spdx.json
diff --git a/README.md b/README.md
index de188883..7fb0eafa 100644
--- a/README.md
+++ b/README.md
@@ -4,8 +4,8 @@
 [![license](https://img.shields.io/badge/license-MIT-brightgreen.svg?style=for-the-badge)](LICENSE)
 [![build](https://img.shields.io/github/actions/workflow/status/osapi-io/osapi/go.yml?style=for-the-badge)](https://github.com/osapi-io/osapi/actions/workflows/go.yml)
 [![docker](https://img.shields.io/badge/ghcr.io-osapi-blue?style=for-the-badge&logo=docker&logoColor=white)](https://github.com/osapi-io/osapi/pkgs/container/osapi)
-[![cosign](https://img.shields.io/badge/signed-cosign-blueviolet?style=for-the-badge&logo=sigstore&logoColor=white)](https://osapi-io.github.io/osapi/#docker)
-[![sbom](https://img.shields.io/badge/SBOM-attached-green?style=for-the-badge)](https://osapi-io.github.io/osapi/#docker)
+[![cosign](https://img.shields.io/badge/signed-cosign-blueviolet?style=for-the-badge&logo=sigstore&logoColor=white)](https://github.com/osapi-io/osapi/pkgs/container/osapi)
+[![sbom](https://img.shields.io/badge/SBOM-attached-green?style=for-the-badge)](https://github.com/osapi-io/osapi/pkgs/container/osapi)
 [![powered by](https://img.shields.io/badge/powered%20by-goreleaser-green.svg?style=for-the-badge)](https://github.com/goreleaser)
 [![conventional commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-yellow.svg?style=for-the-badge)](https://conventionalcommits.org)
 ![openapi initiative](https://img.shields.io/badge/openapiinitiative-%23000000.svg?style=for-the-badge&logo=openapiinitiative&logoColor=white)
diff --git a/docs/docs/sidebar/intro.md b/docs/docs/sidebar/intro.md
index 9c0607e8..ea7cfd23 100644
--- a/docs/docs/sidebar/intro.md
+++ b/docs/docs/sidebar/intro.md
@@ -42,12 +42,15 @@ cosign verify ghcr.io/osapi-io/osapi:latest \
   --certificate-identity-regexp github.com/osapi-io/osapi
 ```
 
-Download the SBOM:
+Verify build provenance and SBOM attestations via the GitHub CLI:
 
 ```bash
-cosign download sbom ghcr.io/osapi-io/osapi:latest
+gh attestation verify oci://ghcr.io/osapi-io/osapi:latest \
+  --owner osapi-io
 ```
 
+Attestations are also visible on the [package page][ghcr].
+
 ## Quickstart
 
 Install OSAPI and start all three components in a single process: