feat: add image attestation workflow step (#5158)

Signed-off-by: Dan Urson <[email protected]>

Author: notdurson

.github/workflows/atlantis-image.yml

@@ -45,6 +45,11 @@ jobs:
     needs: [changes]
     if: needs.changes.outputs.should-run-build == 'true'
     name: Build Image
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+      attestations: write
     strategy:
       matrix:
         image_type: [alpine, debian]
@@ -129,6 +134,7 @@ jobs:
       run: echo "RELEASE_VERSION=${{ startsWith(github.ref, 'refs/tags/') && '${GITHUB_REF#refs/*/}' || 'dev' }}" >> $GITHUB_ENV
 
     - name: "Build ${{ env.PUSH == 'true' && 'and push' || '' }} ${{ env.DOCKER_REPO }} image"
+      id: build
       if: contains(fromJson('["push", "pull_request"]'), github.event_name)
       uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6
       with:
@@ -147,6 +153,14 @@ jobs:
         labels: ${{ steps.meta.outputs.labels }}
         outputs: type=image,name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }}
 
+    - name: "Sign and Attest Image"
+      if: env.PUSH == 'true'
+      uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
+      with:
+        subject-digest: ${{ steps.build.outputs.digest }}
+        subject-name: ghcr.io/${{ github.repository }}
+        push-to-registry: true
+
   test:
     needs: [changes]
     if: needs.changes.outputs.should-run-build == 'true'
@@ -201,4 +215,4 @@ jobs:
         image_type: [alpine, debian]
     runs-on: ubuntu-24.04
     steps:
-      - run: 'echo "No build required"'
+      - run: 'echo "No build required"'