chore: use ghcr for latest tag attestations (argoproj#13058)

Signed-off-by: Justin Marquis <34fathombelow@protonmail.com>
yyzxw · Aug 9, 2023 · 23bb4c8 · 23bb4c8
1 parent 97eb466
commit 23bb4c8
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml
@@ -77,7 +77,7 @@ jobs:
       ghcr_username: ${{ github.actor }}
       ghcr_password: ${{ secrets.GITHUB_TOKEN }}
 
-  build-and-publish-provenance:
+  build-and-publish-provenance: # Push attestations to GHCR, latest image is polluting quay.io
     needs: [build-and-publish]
     permissions:
       actions: read # for detecting the Github Actions environment.
@@ -87,11 +87,11 @@ jobs:
     # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.5.0
     with:
-      image: quay.io/argoproj/argocd
-      digest: ${{ needs.build-and-publish.outputs.image-digest }}
+      image: ghcr.io/argoproj/argo-cd/argocd
+      digest: ${{ needs.set-vars.outputs.image-tag }}
+      registry-username: ${{ github.actor }}
     secrets:
-      registry-username: ${{ secrets.RELEASE_QUAY_USERNAME }}
-      registry-password: ${{ secrets.RELEASE_QUAY_TOKEN }}
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
 
   Deploy:
     needs: