From ee1342d1df8e6dcef5297d3d017cfd4ddf39bc8a Mon Sep 17 00:00:00 2001
From: Ralf Kistner <ralf@journeyapps.com>
Date: Thu, 7 Aug 2025 14:08:52 +0200
Subject: [PATCH 1/8] Add provenance and sbom.

---
 .github/workflows/development_image_release.yaml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.github/workflows/development_image_release.yaml b/.github/workflows/development_image_release.yaml
index bffe5ec98..faffed31e 100644
--- a/.github/workflows/development_image_release.yaml
+++ b/.github/workflows/development_image_release.yaml
@@ -67,6 +67,11 @@ jobs:
         id: get_version
         run: echo "SERVICE_VERSION=$(node -p "require('./service/package.json').version")" >> $GITHUB_OUTPUT
 
+      - name: Extract metadata for the image
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ vars.DOCKER_REGISTRY }}
+
       - name: Build Image and Push
         uses: docker/build-push-action@v5
         with:
@@ -76,4 +81,8 @@ jobs:
           #   This should not be taged as latest
           tags: ${{vars.DOCKER_REGISTRY}}:${{steps.get_version.outputs.SERVICE_VERSION}}
           push: true
+          # Note: This includes build args in the published provenance.
+          # Do not use this if secrets are passed in as args.
+          provenance: mode=max
+          sbom: true
           file: ./service/Dockerfile

From 3f435062341d4c84a80b01873ba09332475e5a2b Mon Sep 17 00:00:00 2001
From: Ralf Kistner <ralf@journeyapps.com>
Date: Thu, 7 Aug 2025 15:06:09 +0200
Subject: [PATCH 2/8] Update action.

---
 .github/workflows/development_image_release.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/development_image_release.yaml b/.github/workflows/development_image_release.yaml
index faffed31e..2444e7633 100644
--- a/.github/workflows/development_image_release.yaml
+++ b/.github/workflows/development_image_release.yaml
@@ -73,7 +73,7 @@ jobs:
           images: ${{ vars.DOCKER_REGISTRY }}
 
       - name: Build Image and Push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           platforms: linux/arm64,linux/amd64
           cache-from: type=registry,ref=${{vars.DOCKER_REGISTRY}}:latest

From 30773c81900789d4629d4e6db781c5f9d7e69262 Mon Sep 17 00:00:00 2001
From: Ralf Kistner <ralf@journeyapps.com>
Date: Mon, 11 Aug 2025 15:26:51 +0200
Subject: [PATCH 3/8] Add labels and annotations.

---
 .github/workflows/development_image_release.yaml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/development_image_release.yaml b/.github/workflows/development_image_release.yaml
index 2444e7633..118451f9a 100644
--- a/.github/workflows/development_image_release.yaml
+++ b/.github/workflows/development_image_release.yaml
@@ -78,8 +78,11 @@ jobs:
           platforms: linux/arm64,linux/amd64
           cache-from: type=registry,ref=${{vars.DOCKER_REGISTRY}}:latest
           context: .
-          #   This should not be taged as latest
+          # This should not be taged as latest
           tags: ${{vars.DOCKER_REGISTRY}}:${{steps.get_version.outputs.SERVICE_VERSION}}
+          # Add labels from metadata-action above.
+          labels: ${{ steps.meta.outputs.labels }}
+          annotations: ${{ steps.meta.outputs.annotations }}
           push: true
           # Note: This includes build args in the published provenance.
           # Do not use this if secrets are passed in as args.

From d5fe3ef9e34804aedb40237ebf86514258ccc0ae Mon Sep 17 00:00:00 2001
From: Ralf Kistner <ralf@journeyapps.com>
Date: Mon, 11 Aug 2025 15:30:45 +0200
Subject: [PATCH 4/8] Update production image release action.

---
 .github/workflows/development_image_release.yaml |  8 +++++---
 .github/workflows/packages_release.yaml          | 16 +++++++++++++++-
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/development_image_release.yaml b/.github/workflows/development_image_release.yaml
index 118451f9a..c6b8dac37 100644
--- a/.github/workflows/development_image_release.yaml
+++ b/.github/workflows/development_image_release.yaml
@@ -80,12 +80,14 @@ jobs:
           context: .
           # This should not be taged as latest
           tags: ${{vars.DOCKER_REGISTRY}}:${{steps.get_version.outputs.SERVICE_VERSION}}
-          # Add labels from metadata-action above.
+          file: ./service/Dockerfile
+          push: true
+
+          # Add labels and annotations from metadata-action above.
           labels: ${{ steps.meta.outputs.labels }}
           annotations: ${{ steps.meta.outputs.annotations }}
-          push: true
           # Note: This includes build args in the published provenance.
           # Do not use this if secrets are passed in as args.
           provenance: mode=max
+          # Pre-generate an SBOM file, which can be used for vulnerability scanning or listing licenses.
           sbom: true
-          file: ./service/Dockerfile
diff --git a/.github/workflows/packages_release.yaml b/.github/workflows/packages_release.yaml
index a81c706cd..06d32e6d2 100644
--- a/.github/workflows/packages_release.yaml
+++ b/.github/workflows/packages_release.yaml
@@ -112,6 +112,11 @@ jobs:
         id: get_version
         run: echo "SERVICE_VERSION=$(node -p "require('./service/package.json').version")" >> $GITHUB_OUTPUT
 
+      - name: Extract metadata for the image
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ vars.DOCKER_REGISTRY }}
+
       - name: Build Image and Push
         uses: docker/build-push-action@v5
         with:
@@ -122,7 +127,16 @@ jobs:
           push: true
           file: ./service/Dockerfile
 
-      #   # Updates the README section on the DockerHub page
+          # Add labels and annotations from metadata-action above.
+          labels: ${{ steps.meta.outputs.labels }}
+          annotations: ${{ steps.meta.outputs.annotations }}
+          # Note: This includes build args in the published provenance.
+          # Do not use this if secrets are passed in as args.
+          provenance: mode=max
+          # Pre-generate an SBOM file, which can be used for vulnerability scanning or listing licenses.
+          sbom: true
+
+      # Updates the README section on the DockerHub page
       - name: Update repo description
         #  Note that this 3rd party extention is recommended in the DockerHub docs:
         #  https://docs.docker.com/build/ci/github-actions/update-dockerhub-desc/

From 87dd730cc529cb4cef1c4494d5da446bea9909c7 Mon Sep 17 00:00:00 2001
From: Ralf Kistner <ralf@journeyapps.com>
Date: Mon, 11 Aug 2025 15:31:33 +0200
Subject: [PATCH 5/8] Changeset.

---
 .changeset/silent-suns-watch.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 .changeset/silent-suns-watch.md

diff --git a/.changeset/silent-suns-watch.md b/.changeset/silent-suns-watch.md
new file mode 100644
index 000000000..8413a2d0f
--- /dev/null
+++ b/.changeset/silent-suns-watch.md
@@ -0,0 +1,5 @@
+---
+'@powersync/service-image': patch
+---
+
+Add attestations to Docker image.

From 5bf0a82b1cc723e2a5baf96647b13489dbfdcf73 Mon Sep 17 00:00:00 2001
From: Ralf Kistner <ralf@journeyapps.com>
Date: Mon, 11 Aug 2025 15:31:53 +0200
Subject: [PATCH 6/8] docker/build-push-action@v6

---
 .github/workflows/packages_release.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/packages_release.yaml b/.github/workflows/packages_release.yaml
index 06d32e6d2..f6f497737 100644
--- a/.github/workflows/packages_release.yaml
+++ b/.github/workflows/packages_release.yaml
@@ -118,7 +118,7 @@ jobs:
           images: ${{ vars.DOCKER_REGISTRY }}
 
       - name: Build Image and Push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           platforms: linux/arm64,linux/amd64
           cache-from: type=registry,ref=${{vars.DOCKER_REGISTRY}}:latest

From fae77beb90bab82b2bad835ecf432da2df756171 Mon Sep 17 00:00:00 2001
From: Ralf Kistner <ralf@journeyapps.com>
Date: Mon, 11 Aug 2025 15:58:22 +0200
Subject: [PATCH 7/8] Fix metadata action.

---
 .github/workflows/development_image_release.yaml | 9 +++++++++
 .github/workflows/packages_release.yaml          | 9 +++++++++
 2 files changed, 18 insertions(+)

diff --git a/.github/workflows/development_image_release.yaml b/.github/workflows/development_image_release.yaml
index c6b8dac37..bf8c31b8d 100644
--- a/.github/workflows/development_image_release.yaml
+++ b/.github/workflows/development_image_release.yaml
@@ -69,8 +69,17 @@ jobs:
 
       - name: Extract metadata for the image
         uses: docker/metadata-action@v5
+        id: meta
         with:
           images: ${{ vars.DOCKER_REGISTRY }}
+          labels: |
+            org.opencontainers.image.licenses=FSL-1.1-ALv2
+            org.opencontainers.image.version=${{ steps.get_version.outputs.SERVICE_VERSION }}
+            org.opencontainers.image.vendor=Journey Mobile, Inc
+          annotations: |
+            org.opencontainers.image.licenses=FSL-1.1-ALv2
+            org.opencontainers.image.version=${{ steps.get_version.outputs.SERVICE_VERSION }}
+            org.opencontainers.image.vendor=Journey Mobile, Inc
 
       - name: Build Image and Push
         uses: docker/build-push-action@v6
diff --git a/.github/workflows/packages_release.yaml b/.github/workflows/packages_release.yaml
index f6f497737..0e750d9e4 100644
--- a/.github/workflows/packages_release.yaml
+++ b/.github/workflows/packages_release.yaml
@@ -114,8 +114,17 @@ jobs:
 
       - name: Extract metadata for the image
         uses: docker/metadata-action@v5
+        id: meta
         with:
           images: ${{ vars.DOCKER_REGISTRY }}
+          labels: |
+            org.opencontainers.image.licenses=FSL-1.1-ALv2
+            org.opencontainers.image.version=${{ steps.get_version.outputs.SERVICE_VERSION }}
+            org.opencontainers.image.vendor=Journey Mobile, Inc
+          annotations: |
+            org.opencontainers.image.licenses=FSL-1.1-ALv2
+            org.opencontainers.image.version=${{ steps.get_version.outputs.SERVICE_VERSION }}
+            org.opencontainers.image.vendor=Journey Mobile, Inc
 
       - name: Build Image and Push
         uses: docker/build-push-action@v6

From 86dca00cd5337134330c41d831050dc2d2c45f9c Mon Sep 17 00:00:00 2001
From: Ralf Kistner <ralf@journeyapps.com>
Date: Mon, 11 Aug 2025 16:20:50 +0200
Subject: [PATCH 8/8] Add annotations on the index.

---
 .github/workflows/development_image_release.yaml | 2 ++
 .github/workflows/packages_release.yaml          | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/.github/workflows/development_image_release.yaml b/.github/workflows/development_image_release.yaml
index bf8c31b8d..94cb2d5c1 100644
--- a/.github/workflows/development_image_release.yaml
+++ b/.github/workflows/development_image_release.yaml
@@ -80,6 +80,8 @@ jobs:
             org.opencontainers.image.licenses=FSL-1.1-ALv2
             org.opencontainers.image.version=${{ steps.get_version.outputs.SERVICE_VERSION }}
             org.opencontainers.image.vendor=Journey Mobile, Inc
+        env:
+          DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
 
       - name: Build Image and Push
         uses: docker/build-push-action@v6
diff --git a/.github/workflows/packages_release.yaml b/.github/workflows/packages_release.yaml
index 0e750d9e4..bc1e87c87 100644
--- a/.github/workflows/packages_release.yaml
+++ b/.github/workflows/packages_release.yaml
@@ -125,6 +125,8 @@ jobs:
             org.opencontainers.image.licenses=FSL-1.1-ALv2
             org.opencontainers.image.version=${{ steps.get_version.outputs.SERVICE_VERSION }}
             org.opencontainers.image.vendor=Journey Mobile, Inc
+        env:
+          DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
 
       - name: Build Image and Push
         uses: docker/build-push-action@v6