ci: enable docker image attestations

2026-05-06 17:00:50 +00:00 · 2026-04-26 22:11:30 +01:00
parent 2194a8c64c
commit 824c3e2b71
2 changed files with 10 additions and 5 deletions
--- a/.github/workflows/docker-release.yml
+++ b/.github/workflows/docker-release.yml
@@ -163,7 +163,8 @@ jobs:
            OPENCLAW_EXTENSIONS=diagnostics-otel
          tags: ${{ steps.tags.outputs.value }}
          labels: ${{ steps.labels.outputs.value }}
-          provenance: false
+          sbom: true
+          provenance: mode=max
          push: true

      - name: Build and push amd64 slim image
@@ -180,7 +181,8 @@ jobs:
            OPENCLAW_VARIANT=slim
          tags: ${{ steps.tags.outputs.slim }}
          labels: ${{ steps.labels.outputs.value }}
-          provenance: false
+          sbom: true
+          provenance: mode=max
          push: true

  # Build arm64 images (default + slim share the build stage cache)
@@ -283,7 +285,8 @@ jobs:
            OPENCLAW_EXTENSIONS=diagnostics-otel
          tags: ${{ steps.tags.outputs.value }}
          labels: ${{ steps.labels.outputs.value }}
-          provenance: false
+          sbom: true
+          provenance: mode=max
          push: true

      - name: Build and push arm64 slim image
@@ -300,7 +303,8 @@ jobs:
            OPENCLAW_VARIANT=slim
          tags: ${{ steps.tags.outputs.slim }}
          labels: ${{ steps.labels.outputs.value }}
-          provenance: false
+          sbom: true
+          provenance: mode=max
          push: true

  # Create multi-platform manifests
--- a/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml
+++ b/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml
@@ -628,7 +628,8 @@ jobs:
          cache-from: type=gha,scope=docker-e2e
          cache-to: type=gha,mode=max,scope=docker-e2e
          tags: ${{ steps.image.outputs.image }}
-          provenance: false
+          sbom: true
+          provenance: mode=max
          push: true

  validate_live_models_docker: