From 38d6c83636ecace42c480929b6b35ecd0700ab36 Mon Sep 17 00:00:00 2001
From: Kyle McLaren <mclaren@fly.io>
Date: Wed, 3 Jul 2024 22:26:59 +0200
Subject: [PATCH] Update build /push workflow

---
 .github/workflows/push.yaml | 67 ++++++++++++++++++++++++++-----------
 1 file changed, 47 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml
index 675bb5f..7b27ef8 100644
--- a/.github/workflows/push.yaml
+++ b/.github/workflows/push.yaml
@@ -1,27 +1,54 @@
-name: Build and Push
+name: Build and Push Image
 
 on:
-    push:
-      branches:
-        - main
-      paths-ignore:
-        - '**.md'
-        - '.github/**'
-        - '.gitignore'
-    workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - '**.md'
+      - '.github/**'
+      - '.gitignore'
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
 
 jobs:
-  build:
-    name: Build and Push Cog Image
+  build-and-push-image:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+
     steps:
-        - uses: actions/checkout@v3
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and Push Cog Image
+        runs-on: ubuntu-latest
+        steps:
+            - uses: actions/checkout@v3
 
-        - uses: replicate/setup-cog@v2
-          with:
-            install-cuda: false
-            cog-version: v0.9.12
-        - run: |
-            cog push ghcr.io/fly-apps/cog-whisper:latest --use-cuda-base-image false
-          env:
-            GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+            - uses: replicate/setup-cog@v2
+              with:
+                install-cuda: false
+                cog-version: v0.9.12
+            - run: |
+                cog push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}:latest --use-cuda-base-image false
+                
+      * name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true