From 5a18909314aad69c9bd1860bd704f0296982ceaa Mon Sep 17 00:00:00 2001
From: Bret Fisher <bret@bretfisher.com>
Date: Fri, 10 Mar 2023 22:04:47 -0500
Subject: [PATCH 1/5] testing attestations

---
 .github/workflows/reusable-docker-build.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/reusable-docker-build.yaml b/.github/workflows/reusable-docker-build.yaml
index 723f9c6..e36678d 100644
--- a/.github/workflows/reusable-docker-build.yaml
+++ b/.github/workflows/reusable-docker-build.yaml
@@ -163,6 +163,9 @@ jobs:
           push: true
           tags: ${{ steps.docker_meta.outputs.tags }}
           labels: ${{ steps.docker_meta.outputs.labels }}
+          # add attestations for provenance and sbom
+          provenance: true
+          sbom: true
       -
         # If PR, put image tags in the PR comments
         # from https://github.com/marketplace/actions/create-or-update-comment

From 4a302722eee37ce3350b25849f92fc85c6d7a228 Mon Sep 17 00:00:00 2001
From: Bret Fisher <bret@bretfisher.com>
Date: Fri, 10 Mar 2023 22:08:22 -0500
Subject: [PATCH 2/5] remove test

---
 .github/workflows/call-local-docker-build.yaml | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/.github/workflows/call-local-docker-build.yaml b/.github/workflows/call-local-docker-build.yaml
index ace839f..f2f34d7 100644
--- a/.github/workflows/call-local-docker-build.yaml
+++ b/.github/workflows/call-local-docker-build.yaml
@@ -18,17 +18,6 @@ on:
 
 jobs:
 
-  testing-event-messages:
-    if: always()
-    runs-on: ubuntu-latest
-    steps:
-      -
-        run: |
-          echo "event_name: ${{ github.event_name }}"
-          # echo "event.workflow_run: ${{ github.event.workflow_run }}"
-          echo "event.head_commit: ${{ github.event.head_commit }}"
-          echo "event.head_commit.message: ${{ github.event.head_commit.message }}"
-
   call-docker-build:
 
     name: Call Docker Build

From fb2ccb0ea092447ab01e61caedb9df44a26cc319 Mon Sep 17 00:00:00 2001
From: Bret Fisher <bret@bretfisher.com>
Date: Sat, 11 Mar 2023 00:13:28 -0500
Subject: [PATCH 3/5] remove checkout

---
 .github/workflows/reusable-docker-build.yaml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/reusable-docker-build.yaml b/.github/workflows/reusable-docker-build.yaml
index e36678d..9995fb9 100644
--- a/.github/workflows/reusable-docker-build.yaml
+++ b/.github/workflows/reusable-docker-build.yaml
@@ -107,9 +107,10 @@ jobs:
       ghcr-tag: ${{ steps.ghcr-tag.outputs.tag }}
 
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v3.3.0
+      # no need for manual checkout, per https://github.com/docker/build-push-action/#git-context
+      # -
+      #   name: Checkout
+      #   uses: actions/checkout@v3.3.0
       -
         # we need qemu and buildx so we can build multiple platforms later
         name: Set up QEMU

From aa5ab1f8a8d012fd6c201655c4cdb6846c4bbbfb Mon Sep 17 00:00:00 2001
From: Bret Fisher <bret@bretfisher.com>
Date: Sat, 11 Mar 2023 02:50:48 -0500
Subject: [PATCH 4/5] adding notes

---
 .github/workflows/reusable-docker-build.yaml | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/reusable-docker-build.yaml b/.github/workflows/reusable-docker-build.yaml
index 9995fb9..6681e57 100644
--- a/.github/workflows/reusable-docker-build.yaml
+++ b/.github/workflows/reusable-docker-build.yaml
@@ -107,10 +107,8 @@ jobs:
       ghcr-tag: ${{ steps.ghcr-tag.outputs.tag }}
 
     steps:
-      # no need for manual checkout, per https://github.com/docker/build-push-action/#git-context
-      # -
-      #   name: Checkout
-      #   uses: actions/checkout@v3.3.0
+      # no need for manual checkout if all we're doing is build->push
+      # RE: https://github.com/docker/build-push-action/#git-context
       -
         # we need qemu and buildx so we can build multiple platforms later
         name: Set up QEMU

From a9e5c2f5c7cc9f256a5aa87248140a4df9dee1a4 Mon Sep 17 00:00:00 2001
From: Bret Fisher <bret@bretfisher.com>
Date: Sat, 11 Mar 2023 02:54:35 -0500
Subject: [PATCH 5/5] looks like checkout is still needed

---
 .github/workflows/reusable-docker-build.yaml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/reusable-docker-build.yaml b/.github/workflows/reusable-docker-build.yaml
index 6681e57..e36678d 100644
--- a/.github/workflows/reusable-docker-build.yaml
+++ b/.github/workflows/reusable-docker-build.yaml
@@ -107,8 +107,9 @@ jobs:
       ghcr-tag: ${{ steps.ghcr-tag.outputs.tag }}
 
     steps:
-      # no need for manual checkout if all we're doing is build->push
-      # RE: https://github.com/docker/build-push-action/#git-context
+      -
+        name: Checkout
+        uses: actions/checkout@v3.3.0
       -
         # we need qemu and buildx so we can build multiple platforms later
         name: Set up QEMU