chore: #95 Force provenance to mode=max and pin action versions

lbroudoux · lbroudoux · commit 2816b295d6a1 · 2025-03-30T23:19:15.000+01:00
Signed-off-by: Laurent Broudoux &lt;laurent.broudoux@gmail.com&gt;
diff --git a/.github/workflows/build-package.yml b/.github/workflows/build-package.yml
@@ -26,7 +26,7 @@ jobs:
 
       # Checkout repository content
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set environment for branch
         run: |
@@ -42,15 +42,16 @@ jobs:
           fi
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@v3.7.0
+        if: github.repository_owner == 'microcks' && env.PACKAGE_IMAGE == 'true'
+        uuses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
 
       - name: Set up QEMU
         if: github.repository_owner == 'microcks' && env.PACKAGE_IMAGE == 'true'
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
 
       - name: Set up Docker Buildx
         if: github.repository_owner == 'microcks' && env.PACKAGE_IMAGE == 'true'
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
       
       - name: Login to Quay.io and Docker Hub registries and setup multi-arch builder
         if: github.repository_owner == 'microcks' && env.PACKAGE_IMAGE == 'true'
@@ -62,12 +63,13 @@ jobs:
       
       - name: Build and push container image
         id: build-and-push
-        uses: docker/build-push-action@v4.0.0
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
         if: github.repository_owner == 'microcks' && env.PACKAGE_IMAGE == 'true'
         with:
           context: .
           sbom: true
           push: true
+          provenance: mode=max
           platforms: linux/amd64,linux/arm64
           builder: buildx-multi-arch
           file: Dockerfile.ubi-minimal
@@ -77,6 +79,7 @@ jobs:
           tags: quay.io/microcks/microcks-postman-runtime:${{env.IMAGE_TAG}},docker.io/microcks/microcks-postman-runtime:${{env.IMAGE_TAG}}
 
       - name: Sign the image with GitHub OIDC Token
+        if: github.repository_owner == 'microcks' && env.PACKAGE_IMAGE == 'true'
         env:
           DIGEST: ${{ steps.build-and-push.outputs.digest }}
           TAGS: quay.io/microcks/microcks-postman-runtime:${{env.IMAGE_TAG}} docker.io/microcks/microcks-postman-runtime:${{env.IMAGE_TAG}}
