feat: add subject & digest for provenance attestation

blaggacao · blaggacao · commit 646670e19ad5 · 2024-08-06T12:30:08.000+02:00
```yaml
  - name: Generate artifact attestation
    uses: actions/attest-build-provenance@v1
    with:
      subject-name: ${{ steps.publish.outputs.name }}
      subject-digest: ${{ steps.publish.outputs.digest }}
      push-to-registry: true
```
diff --git a/src/std/fwlib/blockTypes/containers.nix b/src/std/fwlib/blockTypes/containers.nix
@@ -63,6 +63,15 @@ in
       (mkCommand currentSystem "publish" "copy the image to its remote registry" [skopeo-nix2container] ''
           ${copyFn}
           copy docker://${target.image.repo}
+
+          # Get the digest of the published image
+          DIGEST=$(skopeo inspect --raw docker://${target.image.repo}:${builtins.head target.image.tags} | jq -r '.manifests[0].digest')
+
+          # Conditionally output the name and digest for GitHub Actions
+          if [ -n "$GITHUB_OUTPUT" ]; then
+            echo "name=${target.image.repo}" >> "$GITHUB_OUTPUT"
+            echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
+          fi
         '' {
           meta.image = target.image.name;
           inherit proviso;
