feat(release): attest (#15)

* feat(release): attest

Signed-off-by: Toni Tauro <toni.tauro@adfinis.com>

* fix(autotag/release): use permissions

Signed-off-by: Toni Tauro <toni.tauro@adfinis.com>

* fix(autotag): contents - write

Signed-off-by: Toni Tauro <toni.tauro@adfinis.com>

* fix(release): only if tag

Signed-off-by: Toni Tauro <toni.tauro@adfinis.com>

---------

Signed-off-by: Toni Tauro <toni.tauro@adfinis.com>

.github/workflows/autotag.yaml

@@ -6,6 +6,8 @@ on:
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -16,5 +18,5 @@ jobs:
         id: semrel
         uses: go-semantic-release/action@v1.21
         with:
-          github-token: ${{ secrets.PAT }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
           allow-initial-development-versions: true

.github/workflows/release.yaml

@@ -12,6 +12,11 @@ on:
 jobs:
   build-container:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+      attestations: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -37,7 +42,7 @@ jobs:
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
-          password: ${{ secrets.PAT }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build
         uses: redhat-actions/buildah-build@v2
@@ -64,3 +69,12 @@ jobs:
           image: ${{ steps.build.outputs.image }}
           tags: ${{ steps.build.outputs.tags }}
           registry: ghcr.io/eyenx
+
+      - name: Attest
+        uses: actions/attest-build-provenance@v1
+        if: startsWith(github.ref, 'refs/tags/v')
+        id: attest
+        with:
+          subject-name: ghcr.io/eyenx/blog
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true