feat: add subject & digest for provenance attestation

```yaml - name: Generate artifact attestation uses: actions/attest-build-provenance@v1 with: subject-name: ${{ steps.publish.outputs.name }} subject-digest: ${{ steps.publish.outputs.digest }} push-to-registry: true ```
divnix · Aug 6, 2024 · 646670e · 646670e
1 parent f8f6f70
commit 646670e
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/src/std/fwlib/blockTypes/containers.nix b/src/std/fwlib/blockTypes/containers.nix
@@ -63,6 +63,15 @@ in
       (mkCommand currentSystem "publish" "copy the image to its remote registry" [skopeo-nix2container] ''
           ${copyFn}
           copy docker://${target.image.repo}
+
+          # Get the digest of the published image
+          DIGEST=$(skopeo inspect --raw docker://${target.image.repo}:${builtins.head target.image.tags} | jq -r '.manifests[0].digest')
+
+          # Conditionally output the name and digest for GitHub Actions
+          if [ -n "$GITHUB_OUTPUT" ]; then
+            echo "name=${target.image.repo}" >> "$GITHUB_OUTPUT"
+            echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
+          fi
         '' {
           meta.image = target.image.name;
           inherit proviso;