From 144221b430e3e4f9d2e7431925e1c4714cd38dde Mon Sep 17 00:00:00 2001
From: Srigovind Nayak <sgovind.dev@outlook.com>
Date: Sun, 15 Sep 2024 22:44:00 +0530
Subject: [PATCH] docker: add SLSA provenance to .github workflow

* the id-token of the GitHub Actions workflow will be used for image signing
* replace branch-based tagging with SHA-based tagging since, branch names are mutable, SLSA provenance requires immutable tagging
* use official SLSA framework Github Reusable workflow

docker: fix incorrect registry name in image output step

* use REGISTRY environment variable instead of IMAGE_REGISTRY

docker: revert change to remove branch tag
---
 .github/workflows/docker.yml    | 32 +++++++++++++++++++++++++++++++-
 changelog/unreleased/issue-4983 |  8 ++++++++
 2 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 changelog/unreleased/issue-4983

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index a24660b45..56a39aaec 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -19,6 +19,11 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write # needed for signing the images with GitHub OIDC Token
+
+    outputs:
+      image: ${{ steps.image.outputs.image }}
+      digest: ${{ steps.build-and-push.outputs.digest }}
 
     steps:
       - name: Checkout repository
@@ -37,7 +42,8 @@ jobs:
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
-            type=ref,event=branch
+            type=sha
+            type=ref, event=branch
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
 
@@ -55,6 +61,7 @@ jobs:
         if: github.ref != 'refs/heads/master'
 
       - name: Build and push Docker image
+        id: build-and-push
         uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1
         with:
           push: true
@@ -64,3 +71,26 @@ jobs:
           pull: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+        
+      - name: Output image
+        id: image
+        run: |
+          # NOTE: Set the image as an output because the `env` context is not
+          # available to the inputs of a reusable workflow call.
+          image_name="${REGISTRY}/${IMAGE_NAME}"
+          echo "image=$image_name" >> "$GITHUB_OUTPUT"
+        
+  provenance:
+    needs: [build-and-push-image]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    if: github.repository == 'restic/restic'
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
+    with:
+      image: ${{ needs.build-and-push-image.outputs.image }}
+      digest: ${{ needs.build-and-push-image.outputs.digest }}
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file
diff --git a/changelog/unreleased/issue-4983 b/changelog/unreleased/issue-4983
new file mode 100644
index 000000000..6649504bb
--- /dev/null
+++ b/changelog/unreleased/issue-4983
@@ -0,0 +1,8 @@
+Enhancement: add SLSA provenance to the Docker images
+
+Restic's Docker image build workflow now includes SLSA provenance generation. 
+This enhancement improves the security and traceability of the Docker images'
+build process.
+
+https://github.com/restic/restic/issues/4983
+https://github.com/restic/restic/pull/4999
\ No newline at end of file