provenance for docker images

.github/workflows/release.yml

@@ -68,6 +68,35 @@ jobs:
         with:
           subject-path: "${{ github.workspace }}/dist/*.*"
 
+      # See https://github.com/github-early-access/generate-build-provenance/issues/162
+      - name: container image digest
+        id: image
+        run: |
+          set -euo pipefail
+          # Gather the container image generated with goreleaser
+          image=$(jq -r '.[] | select (.type=="Docker Image") | .path' dist/artifacts.json | cut -d':' -f1 | uniq)
+          image_1=$(echo $image | head -n1)
+          image_2=$(echo $image | tail -n1)
+          # Fetch the digest for the container image (amd64 and arm64)
+          digest_1=$(docker images --format "{{.Digest}}" --no-trunc $image | sed -n 1p)
+          digest_2=$(docker images --format "{{.Digest}}" --no-trunc $image | sed -n 2p)
+          echo "name_1=$image" >> "$GITHUB_OUTPUT"
+          echo "name_2=$image" >> "$GITHUB_OUTPUT"
+          echo "digest_1=$digest_1" >> "$GITHUB_OUTPUT"
+          echo "digest_2=$digest_2" >> "$GITHUB_OUTPUT"
+
+      - name: generate build provenance (containers x86_64)
+        uses: github-early-access/generate-build-provenance@main
+        with:
+          subject-name: ${{ steps.image.outputs.name_1 }}
+          subject-digest: ${{ steps.image.outputs.digest_1 }}
+
+      - name: generate build provenance (containers arm64)
+        uses: github-early-access/generate-build-provenance@main
+        with:
+          subject-name: ${{ steps.image.outputs.name_2 }}
+          subject-digest: ${{ steps.image.outputs.digest_2 }}
+
       - name: GitHub Release
         run: make release-notes
         env: