Add Github Attestations support

.github/workflows/build-and-push.yaml

@@ -49,6 +49,7 @@ jobs:
 
       - name: Bake ${{ matrix.base_image }} containers
         uses: docker/bake-action@v4
+        id: build
         env:
           BASE_TAGS: "${{ env.BASE_TAGS }}"
           CONTAINER_REGISTRIES: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -63,3 +64,15 @@ jobs:
             *.platform=linux/amd64,linux/arm64
             *.cache-from=type=gha
             *.cache-to=type=gha,mode=max
+
+      - name: Extract digest
+        id: digest
+        run: |
+          echo "${{ steps.build.outputs.metadata }}" | jq -r ".["${{ matrix.base_image }}-multi"].containerimage.digest"
+
+      - name: Generate build provenance attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.digest }}
+          push-to-registry: true