@arjundashrath slight change of plans.
Instead of inspecting npm publish let us first inspect docker build and publish event and generate provenance for docker image.
We can pilot it with this workflow: https://github.com/madnuttah/unbound-docker/blob/c8a2b7a23028f22028ec0b4bfea28bb3441a090c/.github/workflows/build-unbound.yaml#L53 and potentially this one: https://github.com/Januson/docker-image-zola/blob/aec648b4ec0106667a239ba682d77be900bcc43f/.github/workflows/release.yml#L68
harden-runner should push the provenance record automatically to the docker registry.
We already monitor docker images. You need to identify the right image that was created, generate provenance, and push it.
@arjundashrath slight change of plans.
Instead of inspecting
npm publishlet us first inspectdocker build and publishevent and generate provenance for docker image.We can pilot it with this workflow: https://github.com/madnuttah/unbound-docker/blob/c8a2b7a23028f22028ec0b4bfea28bb3441a090c/.github/workflows/build-unbound.yaml#L53 and potentially this one: https://github.com/Januson/docker-image-zola/blob/aec648b4ec0106667a239ba682d77be900bcc43f/.github/workflows/release.yml#L68
harden-runnershould push the provenance record automatically to the docker registry.We already monitor docker images. You need to identify the right image that was created, generate provenance, and push it.