ops: improve ci by attesting build

Author: drawbu

.github/workflows/docker.yml

@@ -5,6 +5,16 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ghcr.io/${{ github.repository }}
+
 jobs:
   docker:
     runs-on: ubuntu-latest
@@ -14,18 +24,33 @@ jobs:
       uses: actions/checkout@v4
 
     - name: Setup Nix
-      uses: cachix/install-nix-action@v27
+      uses: cachix/install-nix-action@v30
 
     - name: Build Docker image
       run: nix build .#docker
 
-    - name: Log in to GitHub Container Registry
-      run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+    - name: Login to GitHub Container Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ${{ env.REGISTRY }}
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
 
-    - name: Load Docker image
+    - name: Push Docker image to GitHub Container Registry
+      id: push
       run: |
         docker load < result
-        docker tag drawbu.dev ghcr.io/${{ github.repository }}:latest
-
-    - name: Push Docker image to GitHub Container Registry
-      run: docker push ghcr.io/${{ github.repository }}:latest
+        docker tag drawbu.dev ${{ env.IMAGE_NAME }}
+        docker push ${{ env.IMAGE_NAME }}
+        digest=$(docker image inspect ${{ env.IMAGE_NAME }} \
+               | nix run nixpkgs#jq -- --raw-output '.[].RepoDigests[]' \
+               | cut -d@ -f2)
+        echo "digest=$digest" >> "$GITHUB_OUTPUT"
+
+    - name: Attest
+      uses: actions/attest-build-provenance@v1
+      id: attest
+      with:
+        subject-name: ${{ env.IMAGE_NAME }}
+        subject-digest: ${{ steps.push.outputs.digest }}
+        push-to-registry: true