jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-19 18:10:59 -05:00
Code Issues Projects Releases Wiki Activity

Update Docker publishing tutorial for artifact attestation guidance (#58736)

Browse Source 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Brian DeHamer <bdehamer@github.com>
This commit is contained in:
Eugene
2025-12-08 10:45:16 -05:00
committed by GitHub
parent bcff1fea9a
commit f857bcae5e
1 changed files with 7 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
content/actions/tutorials/publish-packages/publish-docker-images.md
View File

@@ -191,8 +191,6 @@ jobs:
permissions:
packages: write
contents: read
{% ifversion artifact-attestations %}attestations: write{% endif %}
{% ifversion artifact-attestations %}id-token: write{% endif %}
steps:
- name: Check out the repo
uses: {% data reusables.actions.action-checkout %}
@@ -226,18 +224,15 @@ jobs:
push: true
tags: {% raw %}${{ steps.meta.outputs.tags }}{% endraw %}
labels: {% raw %}${{ steps.meta.outputs.labels }}{% endraw %}
{% ifversion artifact-attestations %}
- name: Generate artifact attestation
uses: actions/attest-build-provenance@v3
with:
subject-name: {% data reusables.package_registry.container-registry-hostname %}/{% raw %}${{ github.repository }}{% endraw %}
subject-digest: {% raw %}${{ steps.push.outputs.digest }}{% endraw %}
push-to-registry: true
{% endif -%}
```
The above workflow checks out the {% data variables.product.github %} repository, uses the `login-action` twice to log in to both registries and generates tags and labels with the `metadata-action` action.
Then the `build-push-action` action builds and pushes the Docker image to Docker Hub and the {% data variables.product.prodname_container_registry %}.
{% ifversion artifact-attestations %}{% data reusables.actions.artifact-attestations-step-explanation %}{% endif %}
{% ifversion artifact-attestations %}> [!NOTE]
> When pushing to multiple registries:
>
> * Image digests may differ between registries, making attestation verification difficult.
> * To maintain a consistent digest and allow a single attestation to verify all copies, push to one registry first and use a tool like [`crane copy`](https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane_copy.md) to replicate the image elsewhere.
> * If you choose to build and push to each registry separately instead, you must generate a distinct attestation for each one to ensure your artifacts remain verifiable.
{% endif %}