Attest release image

This improves the release process in a few ways:
- Secrets for release are now stored in GitHub environments are only available when required
- Release repos now have signed commits and tags
- The base image is verified and pinned at the start of the build
- The release image is attested and can be easily verified even after the build logs expire
- `-dockerhub` tags are created that are the same as the normal version tags

Author: dflook

.github/workflows/release.yaml

@@ -4,29 +4,29 @@ on:
   release:
     types:
       - released
-  workflow_dispatch:
-    inputs:
-      tag_name:
-        description: "Tag to release"
-        required: true
 
 permissions:
   contents: read
 
 jobs:
   image:
     runs-on: ubuntu-24.04
-    name: Release Actions
+    name: Build release image
     permissions:
       contents: read
       packages: write
-    env:
-      GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }}
+      id-token: write
+      attestations: write
+    environment:
+      name: dockerhub
+      url: https://hub.docker.com/r/danielflook/terraform-github-actions/tags?name=${{ github.event.release.tag_name }}
+    outputs:
+      digest: ${{ steps.image_build.outputs.digest }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
-          persist-credentials: true
+          persist-credentials: false
 
       - name: Check action documentation is up-to-date
         run: |
@@ -35,7 +35,7 @@ jobs:
 
       - name: Registry login
         env:
-          GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
         run: |
           echo $GITHUB_TOKEN | docker login ghcr.io --username dflook --password-stdin
@@ -47,32 +47,87 @@ jobs:
       - name: Build action image
         id: image_build
         env:
-          RELEASE_TAG: "${{ github.event.release.tag_name }}${{ github.event.inputs.tag_name }}"
+          RELEASE_TAG: "${{ github.event.release.tag_name }}"
+          GH_TOKEN: ${{ github.token }}
         run: |
+          BASE_TAG=$(docker buildx imagetools inspect danielflook/terraform-github-actions-base:latest --format '{{json .}}' | jq -r '.manifest.annotations."ref.tag"')
+          BASE_DIGEST=$(docker buildx imagetools inspect danielflook/terraform-github-actions-base:$BASE_TAG --format '{{json .}}' | jq -r '.manifest.digest')
+          
+          gh attestation verify --repo dflook/terraform-github-actions "oci://index.docker.io/danielflook/terraform-github-actions-base@$BASE_DIGEST"
+          
+          sed -i "s|FROM danielflook/terraform-github-actions-base:latest|FROM danielflook/terraform-github-actions-base@$BASE_DIGEST|" "image/Dockerfile"
+          
           docker buildx build \
             --build-arg FETCH_CHECKSUMS=yes \
             --build-arg VERSION="${RELEASE_TAG:1}" \
             --tag "danielflook/terraform-github-actions:$RELEASE_TAG" \
             --tag "ghcr.io/dflook/terraform-github-actions:$RELEASE_TAG" \
             --platform linux/amd64,linux/arm64 \
             --attest type=provenance,mode=max,builder-id=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID \
+            --annotation "index,manifest:org.opencontainers.image.created=$(date '+%Y-%m-%dT%H:%M:%S%z')" \
+            --annotation "index,manifest:org.opencontainers.image.source=https://github.com/${{ github.repository }}" \
+            --annotation "index,manifest:org.opencontainers.image.revision=${{ github.sha }}" \
+            --annotation "index,manifest:org.opencontainers.image.version=$RELEASE_TAG" \
+            --annotation "index,manifest:org.opencontainers.image.title=terraform-github-actions" \
+            --annotation "index,manifest:org.opencontainers.image.description=GitHub actions for terraform" \
+            --annotation "index:org.opencontainers.image.ref.name=docker.io/danielflook/terraform-github-actions:$RELEASE_TAG" \
+            --annotation "index,manifest:builder-id=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" \
+            --annotation "index,manifest:ref.tag=$RELEASE_TAG" \
+            --annotation "index,manifest:org.opencontainers.image.base.name=docker.io/danielflook/terraform-github-actions-base" \
+            --annotation "index:org.opencontainers.image.base.ref=$BASE_TAG" \
             --push \
             --iidfile manifest-list-digest.txt \
             image
 
           echo "digest=$(<manifest-list-digest.txt)" >> "$GITHUB_OUTPUT"
 
+      - name: Dockerhub ref attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: index.docker.io/danielflook/terraform-github-actions
+          subject-digest: ${{ steps.image_build.outputs.digest }}
+
+      - name: GHCR ref attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ghcr.io/dflook/terraform-github-actions
+          subject-digest: ${{ steps.image_build.outputs.digest }}
+
+  actions:
+    runs-on: ubuntu-24.04
+    name: Release Actions
+    needs:
+      - image
+    environment:
+      name: release
+      url: https://github.com/dflook/terraform-github-actions/releases/tag/${{ github.event.release.tag_name }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Configure git
+        env:
+          GPG_KEY: ${{ secrets.RELEASE_GPG_KEY }}
+        run: |
+          echo "$GPG_KEY" | gpg --import
+          git config --global user.name "Daniel Flook"
+          git config --global user.email "daniel@flook.org"
+          git config --global user.signingkey "26AAA6B35318E5B7CF0823170FDD1CF4BEE12274"
+          git config --global commit.gpgSign true
+          git config --global tag.gpgSign true
+
       - name: Release actions
         env:
-          RELEASE_TAG: "${{ github.event.release.tag_name }}${{ github.event.inputs.tag_name }}"
-          IMAGE_DIGEST: ${{ steps.image_build.outputs.digest }}
+          GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }}
+          RELEASE_TAG: "${{ github.event.release.tag_name }}"
+          IMAGE_DIGEST: ${{ needs.image.outputs.digest }}
         run: |
           export major=$(echo "$RELEASE_TAG" | cut -d. -f1)
           export minor=$(echo "$RELEASE_TAG" | cut -d. -f2)
 
-          git config --global user.name "Daniel Flook"
-          git config --global user.email "daniel@flook.org"
-          
           function prepare_release() {
               rsync -r "$GITHUB_WORKSPACE/$action/" "$HOME/$action"
               rm -rf "$HOME/$action/.github"
@@ -94,6 +149,9 @@ jobs:
               git -C "$HOME/$action" tag --force -a -m"$RELEASE_TAG" "$RELEASE_TAG"
               git -C "$HOME/$action" tag --force -a -m"$RELEASE_TAG" "$major"
               git -C "$HOME/$action" tag --force -a -m"$RELEASE_TAG" "$major.$minor"
+              git -C "$HOME/$action" tag --force -a -m"$RELEASE_TAG" "$RELEASE_TAG-dockerhub"
+              git -C "$HOME/$action" tag --force -a -m"$RELEASE_TAG" "$major-dockerhub"
+              git -C "$HOME/$action" tag --force -a -m"$RELEASE_TAG" "$major.$minor-dockerhub"
               git -C "$HOME/$action" push --force
               git -C "$HOME/$action" push --force --tags