feat: add GitHub native attestations for SBOM and provenance

.github/workflows/docker-publish.yml

@@ -9,6 +9,7 @@ permissions:
   contents: read
   packages: write
   id-token: write
+  attestations: write
 
 jobs:
   publish:
@@ -51,7 +52,6 @@ jobs:
           push: true
           platforms: linux/amd64,linux/arm64
           tags: ghcr.io/${{ github.repository }}:latest
-          sbom: true
 
       - name: Install cosign
         uses: sigstore/cosign-installer@v3
@@ -60,3 +60,23 @@ jobs:
         env:
           DIGEST: ${{ steps.build.outputs.digest }}
         run: cosign sign --yes ghcr.io/${{ github.repository }}@${DIGEST}
+
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ghcr.io/${{ github.repository }}
+          subject-digest: ${{ steps.build.outputs.digest }}
+
+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          image: ghcr.io/${{ github.repository }}@${{ steps.build.outputs.digest }}
+          output-file: sbom.spdx.json
+          format: spdx-json
+
+      - name: Attest SBOM
+        uses: actions/attest-sbom@v2
+        with:
+          subject-name: ghcr.io/${{ github.repository }}
+          subject-digest: ${{ steps.build.outputs.digest }}
+          sbom-path: sbom.spdx.json

README.md

@@ -4,8 +4,8 @@
 [![license](https://img.shields.io/badge/license-MIT-brightgreen.svg?style=for-the-badge)](LICENSE)
 [![build](https://img.shields.io/github/actions/workflow/status/osapi-io/osapi/go.yml?style=for-the-badge)](https://github.com/osapi-io/osapi/actions/workflows/go.yml)
 [![docker](https://img.shields.io/badge/ghcr.io-osapi-blue?style=for-the-badge&logo=docker&logoColor=white)](https://github.com/osapi-io/osapi/pkgs/container/osapi)
-[![cosign](https://img.shields.io/badge/signed-cosign-blueviolet?style=for-the-badge&logo=sigstore&logoColor=white)](https://osapi-io.github.io/osapi/#docker)
-[![sbom](https://img.shields.io/badge/SBOM-attached-green?style=for-the-badge)](https://osapi-io.github.io/osapi/#docker)
+[![cosign](https://img.shields.io/badge/signed-cosign-blueviolet?style=for-the-badge&logo=sigstore&logoColor=white)](https://github.com/osapi-io/osapi/pkgs/container/osapi)
+[![sbom](https://img.shields.io/badge/SBOM-attached-green?style=for-the-badge)](https://github.com/osapi-io/osapi/pkgs/container/osapi)
 [![powered by](https://img.shields.io/badge/powered%20by-goreleaser-green.svg?style=for-the-badge)](https://github.com/goreleaser)
 [![conventional commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-yellow.svg?style=for-the-badge)](https://conventionalcommits.org)
 ![openapi initiative](https://img.shields.io/badge/openapiinitiative-%23000000.svg?style=for-the-badge&logo=openapiinitiative&logoColor=white)

docs/docs/sidebar/intro.md

@@ -42,12 +42,15 @@ cosign verify ghcr.io/osapi-io/osapi:latest \
   --certificate-identity-regexp github.com/osapi-io/osapi
 ```
 
-Download the SBOM:
+Verify build provenance and SBOM attestations via the GitHub CLI:
 
 ```bash
-cosign download sbom ghcr.io/osapi-io/osapi:latest
+gh attestation verify oci://ghcr.io/osapi-io/osapi:latest \
+  --owner osapi-io
 ```
 
+Attestations are also visible on the [package page][ghcr].
+
 ## Quickstart
 
 Install OSAPI and start all three components in a single process: