From 68f39244bab976c4d92ea7d1c2ba91fd83b12c11 Mon Sep 17 00:00:00 2001
From: Samuel Rounce <me@samuelrounce.co.uk>
Date: Sat, 25 Jan 2025 21:14:25 +0000
Subject: [PATCH] Feat: Use GITHUB_TOKEN for publishing container images

---
 .github/workflows/ghcr.yml | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ghcr.yml b/.github/workflows/ghcr.yml
index c4c0ff2..78b22e3 100644
--- a/.github/workflows/ghcr.yml
+++ b/.github/workflows/ghcr.yml
@@ -3,10 +3,19 @@ name: ghcr.io publish docker image
 on:
   workflow_dispatch:
 
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.event.repository.full_name }}
+
 jobs:
   push_to_registry:
     name: Push Docker image to ghcr.io
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
     steps:
       - name: Check out the repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
@@ -31,13 +40,13 @@ jobs:
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
-          password: ${{ secrets.CR_PAT }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
         uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
         with:
-          images: ghcr.io/${{ github.event.repository.full_name }}
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
           tags: |
             type=ref,event=branch
             type=ref,event=tag
@@ -47,5 +56,10 @@ jobs:
         id: vars
         run: echo "GIT_SHORT_SHA=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
 
-      - name: Build and push Docker image
-        run: GIT_SHA=$GIT_SHORT_SHA docker buildx bake all --push
+      - name: Build and push
+        uses: docker/bake-action@v6
+        with:
+          push: true
+          provenance: true
+        env:
+          REPO: ${{ env.IMAGE_NAME }}