✨ add attestations to image build

Author: carlosthe19916

.github/workflows/build-push-images.yaml

@@ -72,6 +72,11 @@ jobs:
   build:
     needs: [ prepare ]
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
+      packages: write
     env:
       tag: ${{ needs.prepare.outputs.tag }}
     strategy:
@@ -162,9 +167,21 @@ jobs:
           password: ${{ secrets.registry_password }}
           registry: ${{ inputs.registry }}
 
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ inputs.registry }}/${{ steps.build.outputs.image-with-tag }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
+
   manifest:
     needs: [ prepare, build ]
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
+      packages: write
     env:
       tag: ${{ needs.prepare.outputs.tag }}
     steps:
@@ -193,4 +210,11 @@ jobs:
           tags: ${{ env.tag }}
           username: ${{ secrets.registry_username }}
           password: ${{ secrets.registry_password }}
-          registry: ${{ inputs.registry }}
+          registry: ${{ inputs.registry }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ inputs.registry }}/${{ inputs.image_name }}:${{ env.tag }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true