feat: add subject & digest for provenance attestation

blaggacao · blaggacao · commit fde88e53ecd0 · 2024-08-06T12:08:36.000+02:00
```yaml
  - name: Generate artifact attestation
    uses: actions/attest-build-provenance@v1
    with:
      subject-name: ${{ steps.publish.outputs.name }}
      subject-digest: ${{ steps.publish.outputs.digest }}
      push-to-registry: true
```
diff --git a/src/std/fwlib/blockTypes/containers.nix b/src/std/fwlib/blockTypes/containers.nix
@@ -63,6 +63,15 @@ in
       (mkCommand currentSystem "publish" "copy the image to its remote registry" [skopeo-nix2container] ''
           ${copyFn}
           copy docker://${target.image.repo}
+
+          # Get the digest of the published image
+          DIGEST=$(skopeo inspect --raw docker://${target.image.repo}:${builtins.head target.image.tags} | jq -r '.manifests[0].digest')
+
+          # Conditionally output the name and digest for GitHub Actions
+          if [ -n "$GITHUB_OUTPUT" ]; then
+            echo "name=${target.image.repo}" >> $GITHUB_OUTPUT
+            echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+          fi
         '' {
           meta.image = target.image.name;
           inherit proviso;
