feat(ci): attest build provenance

.github/workflows/ghcr-publish.yml

@@ -19,6 +19,8 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write       # mint the OIDC token the attestation is signed with
+      attestations: write   # write the build-provenance attestation (the "claim")
 
     steps:
       - name: Checkout repository
@@ -49,9 +51,28 @@ jobs:
           sudo nerdctl tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
 
       - name: Push image
+        id: push
         run: |
           sudo nerdctl push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
           sudo nerdctl push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+          # nerdctl push has no --digestfile, so read the real sha256 back from
+          # the registry with skopeo (pre-installed on ubuntu-latest). This is
+          # the digest the registry actually holds for the pushed tag.
+          DIGEST="$(skopeo inspect --format '{{.Digest}}' \
+            --creds "${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}" \
+            docker://${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }})"
+          echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
+
+      # GitHub native artifact attestation (build provenance) for the pushed
+      # image. Verify with:
+      #   gh attest verify oci://ghcr.io/${{ github.repository }}:<tag> \
+      #     --repo ${{ github.repository }}
+      - name: Attest container provenance
+        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
 
       - name: Tag release version
         if: github.event_name == 'release'