From 74d9767dc9d95bc1da351cd499a8679d756221d4 Mon Sep 17 00:00:00 2001
From: Victor Martinez <VictorMartinezRubio@gmail.com>
Date: Thu, 25 Apr 2024 13:03:52 +0200
Subject: [PATCH 1/5] github-action: provenance docker

---
 .github/workflows/release.yml | 15 ++++++++++++++-
 Makefile                      |  6 ++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6ba488a..b69b627 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,7 +13,10 @@ jobs:
 
   release:
     runs-on: ubuntu-latest
-
+    permissions:
+      attestations: write
+      contents: read
+      id-token: write
     steps:
     - uses: actions/checkout@v4
 
@@ -31,3 +34,13 @@ jobs:
 
     - name: Run publish
       run: make publish
+
+    - id: docker-envs
+      run: make docker-envs
+
+    - name: Attest image
+      uses: github-early-access/generate-build-provenance@main
+      with:
+        subject-name: ${{ steps.docker-envs.outputs.image }}
+        subject-digest: ${{ steps.docker-envs.outputs.digest }}
+        push-to-registry: true
diff --git a/Makefile b/Makefile
index af55bcc..955caaa 100644
--- a/Makefile
+++ b/Makefile
@@ -2,6 +2,7 @@ PORT ?= 8000
 IMAGE ?= opbeans/opbeans-java
 VERSION ?= latest
 LTS_ALPINE ?= 12-alpine
+DIGEST = $(shell docker images --format "{{.Digest}}" --no-trunc $(IMAGE))
 
 .PHONY: help
 .DEFAULT_GOAL := help
@@ -32,6 +33,11 @@ test: prepare-test ## Run the tests
 publish: build ## Publish docker image
 	@docker push "${IMAGE}:${VERSION}"
 
+docker-envs: ## Generate github output
+	echo "image=${IMAGE}"   >> "$$GITHUB_OUTPUT"
+	echo "tag=${VERSION}"   >> "$$GITHUB_OUTPUT"
+	echo "digest=${DIGEST}" >> "$$GITHUB_OUTPUT"
+
 clean: ## Clean autogenerated files/folders
 	@rm -rf bats
 	@rm -rf target

From aef4582574d1952cec8845d449c8d8c9e6d65bc2 Mon Sep 17 00:00:00 2001
From: Victor Martinez <VictorMartinezRubio@gmail.com>
Date: Thu, 25 Apr 2024 19:21:02 +0200
Subject: [PATCH 2/5] use docker github

---
 .github/workflows/release.yml | 30 +++++++++++++++++++++++-------
 Makefile                      |  9 ---------
 2 files changed, 23 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b69b627..2e7ad86 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,6 +9,9 @@ on:
 permissions:
   contents: read
 
+env:
+  DOCKER_IMAGE_NAME: opbeans/opbeans-java
+
 jobs:
 
   release:
@@ -32,15 +35,28 @@ jobs:
       run: echo "VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
       if: startsWith(github.ref, 'refs/tags/v')
 
-    - name: Run publish
-      run: make publish
-
-    - id: docker-envs
-      run: make docker-envs
+    - name: Extract metadata (tags, labels)
+      id: docker-meta
+      uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81  # v5.5.1
+      with:
+        images: ${{ env.DOCKER_IMAGE_NAME }}
+        tags: |
+          type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
+          # tag event
+          type=ref,enable=true,prefix=,suffix=,event=tag
+
+    - name: Build and push image
+      id: docker-push
+      uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0  # v5.3.0
+      with:
+        context: .
+        push: true
+        tags: ${{ steps.docker-meta.outputs.tags }}
+        labels: ${{ steps.docker-meta.outputs.labels }}
 
     - name: Attest image
       uses: github-early-access/generate-build-provenance@main
       with:
-        subject-name: ${{ steps.docker-envs.outputs.image }}
-        subject-digest: ${{ steps.docker-envs.outputs.digest }}
+        subject-name: ${{ env.DOCKER_IMAGE_NAME }}
+        subject-digest: ${{ steps.docker-push.outputs.digest }}
         push-to-registry: true
diff --git a/Makefile b/Makefile
index 955caaa..3dd02a8 100644
--- a/Makefile
+++ b/Makefile
@@ -2,7 +2,6 @@ PORT ?= 8000
 IMAGE ?= opbeans/opbeans-java
 VERSION ?= latest
 LTS_ALPINE ?= 12-alpine
-DIGEST = $(shell docker images --format "{{.Digest}}" --no-trunc $(IMAGE))
 
 .PHONY: help
 .DEFAULT_GOAL := help
@@ -30,14 +29,6 @@ test: prepare-test ## Run the tests
 	@docker run --rm -v "${PWD}":/usr/src/app -w /usr/src/app node:${LTS_ALPINE} \
 					sh -c "npm install tap-xunit -g && cat target/results.tap | tap-xunit --package='co.elastic.opbeans' > target/junit-results.xml"
 
-publish: build ## Publish docker image
-	@docker push "${IMAGE}:${VERSION}"
-
-docker-envs: ## Generate github output
-	echo "image=${IMAGE}"   >> "$$GITHUB_OUTPUT"
-	echo "tag=${VERSION}"   >> "$$GITHUB_OUTPUT"
-	echo "digest=${DIGEST}" >> "$$GITHUB_OUTPUT"
-
 clean: ## Clean autogenerated files/folders
 	@rm -rf bats
 	@rm -rf target

From c536a3bcb60abe77fe432711d9f4334e4538cf02 Mon Sep 17 00:00:00 2001
From: Victor Martinez <VictorMartinezRubio@gmail.com>
Date: Thu, 25 Apr 2024 19:29:20 +0200
Subject: [PATCH 3/5] disable

---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2e7ad86..ae10ea2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -59,4 +59,4 @@ jobs:
       with:
         subject-name: ${{ env.DOCKER_IMAGE_NAME }}
         subject-digest: ${{ steps.docker-push.outputs.digest }}
-        push-to-registry: true
+        push-to-registry: false

From 4f828ae98da838ffcac5616c3c90ace994216c80 Mon Sep 17 00:00:00 2001
From: Victor Martinez <VictorMartinezRubio@gmail.com>
Date: Thu, 25 Apr 2024 19:30:07 +0200
Subject: [PATCH 4/5] unrequired

---
 .github/workflows/release.yml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ae10ea2..1ef2853 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -31,10 +31,6 @@ jobs:
         roleId: ${{ secrets.VAULT_ROLE_ID }}
         secretId: ${{ secrets.VAULT_SECRET_ID }}
 
-    - name: Set version if tags
-      run: echo "VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
-      if: startsWith(github.ref, 'refs/tags/v')
-
     - name: Extract metadata (tags, labels)
       id: docker-meta
       uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81  # v5.5.1

From f400f7e0966760cc41ba13e1bd0dfa70f397c248 Mon Sep 17 00:00:00 2001
From: Victor Martinez <VictorMartinezRubio@gmail.com>
Date: Thu, 25 Apr 2024 19:31:08 +0200
Subject: [PATCH 5/5] revert

---
 Makefile | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Makefile b/Makefile
index 3dd02a8..af55bcc 100644
--- a/Makefile
+++ b/Makefile
@@ -29,6 +29,9 @@ test: prepare-test ## Run the tests
 	@docker run --rm -v "${PWD}":/usr/src/app -w /usr/src/app node:${LTS_ALPINE} \
 					sh -c "npm install tap-xunit -g && cat target/results.tap | tap-xunit --package='co.elastic.opbeans' > target/junit-results.xml"
 
+publish: build ## Publish docker image
+	@docker push "${IMAGE}:${VERSION}"
+
 clean: ## Clean autogenerated files/folders
 	@rm -rf bats
 	@rm -rf target