chore: sign main/pr goreleaser outputs and upload them as artifacts

Signed-off-by: Sylvain Rabot <[email protected]>

Author: sylr

.github/workflows/main.yml

@@ -76,6 +76,9 @@ jobs:
 
   GoReleaser:
     runs-on: "shipfox-4vcpu-ubuntu-2404"
+    permissions:
+      id-token: write
+      attestations: write
     if: contains(github.event.pull_request.labels.*.name, 'build-images') || github.ref == 'refs/heads/main' || github.event_name == 'merge_group'
     steps:
       - name: Set up QEMU
@@ -112,6 +115,40 @@ jobs:
           FURY_TOKEN: ${{ secrets.FURY_TOKEN }}
           GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
 
+      - uses: actions/upload-artifact@v4
+        with:
+          name: goreleaser-metadata
+          path: |
+            dist/*.json
+            dist/ledger_checksums.txt
+          retention-days: 7
+          compression-level: 0
+
+      # TODO(@sylr): Move this to the Release workflow when proven working.
+      # Generate attestations for the goreleaser output archives
+      - uses: actions/attest-build-provenance@v2
+        with:
+          subject-checksums: ./dist/ledger_checksums.txt
+      # Generate attestations for the goreleaser output binaries
+      - uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: ./dist/*/**
+      # Extract image metadata from the artifacts.json file
+      - run: |
+          jq -r '[ .[]|select(.type=="Docker Manifest") | .extra.Digest         ] | to_entries | .[] | ( "digest"+ (.key | tostring) + "=" + .value )' < dist/artifacts.json >> "$GITHUB_OUTPUT"
+          jq -r '[ .[]|select(.type=="Docker Manifest") | .name | split(":")[0] ] | to_entries | .[] | ( "name"+ (.key | tostring) + "=" + .value )'   < dist/artifacts.json >> "$GITHUB_OUTPUT"
+        id: image_metadata
+      # Generate attestations for docker images
+      - uses: actions/attest-build-provenance@v2
+        with:
+          subject-digest: ${{ steps.image_metadata.outputs.digest0 }}
+          subject-name: ${{ steps.image_metadata.outputs.name0 }}
+          push-to-registry: true
+      - uses: actions/attest-build-provenance@v2
+        with:
+          subject-digest: ${{ steps.image_metadata.outputs.digest1 }}
+          subject-name: ${{ steps.image_metadata.outputs.name1 }}
+          push-to-registry: true
 
   Deploy:
     runs-on: "shipfox-2vcpu-ubuntu-2404"
@@ -145,4 +182,4 @@ jobs:
           --secret AUTH_TOKEN=$ARGOCD_REGION_AUTH_TOKEN
           +deploy-staging
           --TAG=$TAG
-          --COMPONENT=$COMPONENT
+          --COMPONENT=$COMPONENT