From dbf4fdc9faa12fce4e2867e6d188d401b7e5319a Mon Sep 17 00:00:00 2001
From: Scott Gress <scott@fleetdm.com>
Date: Tue, 2 Dec 2025 14:16:36 -0600
Subject: [PATCH 1/2] add attestations to images

---
 .github/workflows/build-minio.yml | 114 +++++++++++++++++++++++++++++-
 1 file changed, 111 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build-minio.yml b/.github/workflows/build-minio.yml
index 077e50b..2d2ce9c 100644
--- a/.github/workflows/build-minio.yml
+++ b/.github/workflows/build-minio.yml
@@ -24,7 +24,7 @@ on:
 env:
   GITHUB_REGISTRY: ghcr.io
   DOCKER_REGISTRY: docker.io
-  IMAGE_NAME: coollabsio/minio
+  IMAGE_NAME: ${{ secrets.IMAGE_NAME_OVERRIDE || 'coollabsio/minio' }}
 
 jobs:
   check-release:
@@ -160,8 +160,8 @@ jobs:
           docker buildx imagetools create \
           $TAGS \
           ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.check-release.outputs.version }}-amd64 \
-          ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.check-release.outputs.version }}-arm64
-
+          ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.check-release.outputs.version }}-arm64  
+                    
       - name: Create & publish manifest on ${{ env.DOCKER_REGISTRY }}
         run: |
           TAGS="-t ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.check-release.outputs.version }}"
@@ -185,3 +185,111 @@ jobs:
           echo "- GHCR: ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.check-release.outputs.version }}" >> $GITHUB_STEP_SUMMARY
           echo "- Docker Hub: ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.check-release.outputs.version }}" >> $GITHUB_STEP_SUMMARY
           echo "- Latest: ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:latest" >> $GITHUB_STEP_SUMMARY
+
+  collect-digests:
+    needs: 
+      - merge-manifest
+      - check-release
+    runs-on: ubuntu-latest
+    outputs:
+      collect-ghcr-digests: ${{ steps.collect-ghcr-digests.outputs.digests_json }}
+      collect-dockerhub-digests: ${{ steps.collect-dockerhub-digests.outputs.digests_json }}
+    steps:
+      - name: Collect Docker Hub image digests
+        id: collect-dockerhub-digests
+        run: |
+          IMAGE="${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.check-release.outputs.version }}"
+
+          # Pull raw OCI index
+          RAW=$(docker buildx imagetools inspect --raw "$IMAGE")
+
+          # Get real image digests. If this is a re-run, we may have attestations present,
+          # so filter those out.
+          DIGESTS=$(echo "$RAW" | jq -r '
+            .manifests[]
+            | select(.platform.architecture != null)          # keep manifests with a real platform
+            | select(.annotations["vnd.docker.reference.type"] != "attestation-manifest")  # skip attestations
+            | .digest
+          ')
+
+          JSON=$(printf '%s\n' "$DIGESTS" | jq -R . | jq -s .)          
+
+          # Convert newline-separated list to JSON array for workflow matrix
+          {
+            echo "digests_json<<EOF"
+            echo "$JSON"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
+      - name: Collect GHCR image digests
+        id: collect-ghcr-digests
+        run: |
+          IMAGE="${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.check-release.outputs.version }}"
+
+          # Pull raw OCI index
+          RAW=$(docker buildx imagetools inspect --raw "$IMAGE")
+
+          # Get real image digests. If this is a re-run, we may have attestations present,
+          # so filter those out.
+          DIGESTS=$(echo "$RAW" | jq -r '
+            .manifests[]
+            | select(.platform.architecture != null)          # keep manifests with a real platform
+            | select(.annotations["vnd.docker.reference.type"] != "attestation-manifest")  # skip attestations
+            | .digest
+          ')
+
+          JSON=$(printf '%s\n' "$DIGESTS" | jq -R . | jq -s .)
+
+          # Convert newline-separated list to JSON array for workflow matrix          
+          {
+            echo "digests_json<<EOF"
+            echo "$JSON"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"        
+
+  attest-ghcr:
+    needs: collect-digests
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+      attestations: write
+    strategy:
+      matrix:
+        digest: ${{ fromJson(needs.collect-digests.outputs.collect-ghcr-digests) }}
+    steps:
+      - name: Login to ${{ env.GITHUB_REGISTRY }}
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.GITHUB_REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Attest provenance (GHCR)
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ matrix.digest }}
+          push-to-registry: true          
+
+  attest-dockerhub:
+      needs: collect-digests
+      runs-on: ubuntu-latest
+      permissions:
+        id-token: write
+        packages: write
+        attestations: write
+      strategy:
+        matrix:
+          digest: ${{ fromJson(needs.collect-digests.outputs.collect-dockerhub-digests) }}
+      steps:
+        - name: Login to ${{ env.DOCKER_REGISTRY }}
+          uses: docker/login-action@v3
+          with:
+            registry: ${{ env.DOCKER_REGISTRY }}
+            username: ${{ secrets.DOCKERHUB_USERNAME }}
+            password: ${{ secrets.DOCKERHUB_TOKEN }}              
+        - name: Attest provenance (Docker Hub)
+          uses: actions/attest-build-provenance@v1
+          with:
+            subject-name: ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}
+            subject-digest: ${{ matrix.digest }}
+            push-to-registry: true                    
\ No newline at end of file

From 7547c4f2e95737d67568757cce2308c3777322c1 Mon Sep 17 00:00:00 2001
From: Scott Gress <scott@fleetdm.com>
Date: Tue, 2 Dec 2025 14:19:43 -0600
Subject: [PATCH 2/2] formatting

---
 .github/workflows/build-minio.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build-minio.yml b/.github/workflows/build-minio.yml
index 2d2ce9c..4159759 100644
--- a/.github/workflows/build-minio.yml
+++ b/.github/workflows/build-minio.yml
@@ -160,8 +160,8 @@ jobs:
           docker buildx imagetools create \
           $TAGS \
           ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.check-release.outputs.version }}-amd64 \
-          ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.check-release.outputs.version }}-arm64  
-                    
+          ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.check-release.outputs.version }}-arm64
+
       - name: Create & publish manifest on ${{ env.DOCKER_REGISTRY }}
         run: |
           TAGS="-t ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.check-release.outputs.version }}"