ci: use goreleaser native provenance (#751)

Author: v1v

.ci/get-docker-provenance.sh

@@ -75,24 +75,12 @@ jobs:
       - name: generate build provenance (binaries)
         uses: actions/attest-build-provenance@v3
         with:
-          subject-path: "${{ github.workspace }}/dist/*.*"
+          subject-checksums: ./dist/checksums.txt
 
-      # See https://github.com/github-early-access/generate-build-provenance/issues/162
-      - name: container image digest
-        id: image
-        run: .ci/get-docker-provenance.sh
-
-      - name: generate build provenance (containers x86_64)
-        uses: actions/attest-build-provenance@v3
-        with:
-          subject-name: ${{ steps.image.outputs.name_1 }}
-          subject-digest: ${{ steps.image.outputs.digest_1 }}
-
-      - name: generate build provenance (containers arm64)
+      - name: generate build provenance (docker images)
         uses: actions/attest-build-provenance@v3
         with:
-          subject-name: ${{ steps.image.outputs.name_2 }}
-          subject-digest: ${{ steps.image.outputs.digest_2 }}
+          subject-checksums: ./dist/digests.txt
 
       - name: GitHub Release
         run: make release-notes

.github/workflows/release.yml

@@ -65,30 +65,13 @@ jobs:
           path: "dist/*.*"
           retention-days: 5
 
+      # NOTE: snapshots won't push docker images hence we cannot run provenance on a PR basis
+      #       but only for binaries
       - name: generate build provenance (binaries)
         if: github.event.pull_request.head.repo.full_name == github.repository
         uses: actions/attest-build-provenance@v3
         with:
-          subject-path: "${{ github.workspace }}/dist/*.*"
-
-      # See https://github.com/github-early-access/generate-build-provenance/issues/162
-      - name: container image digest
-        id: image
-        run: .ci/get-docker-provenance.sh
-
-      - name: generate build provenance (containers x86_64)
-        if: github.event.pull_request.head.repo.full_name == github.repository
-        uses: actions/attest-build-provenance@v3
-        with:
-          subject-name: ${{ steps.image.outputs.name_1 }}
-          subject-digest: ${{ steps.image.outputs.digest_1 }}
-
-      - name: generate build provenance (containers arm64)
-        if: github.event.pull_request.head.repo.full_name == github.repository
-        uses: actions/attest-build-provenance@v3
-        with:
-          subject-name: ${{ steps.image.outputs.name_2 }}
-          subject-digest: ${{ steps.image.outputs.digest_2 }}
+          subject-checksums: ./dist/checksums.txt
 
   lint:
     runs-on: ubuntu-latest

.github/workflows/test.yml

@@ -102,3 +102,10 @@ sboms:
   - artifacts: archive
     documents:
       - "{{ .ArtifactName }}.sbom.json"
+
+# Configure the checksums filename, to allow the GitHub attestation to pick up the correct filename
+checksum:
+  name_template: checksums.txt
+
+docker_digest:
+  name_template: "digests.txt"