add artifact attestation

Signed-off-by: drfaust92 <[email protected]>

Author: DrFaust92

.github/workflows/release.yaml

@@ -16,6 +16,7 @@ jobs:
       contents: write # to push chart release and create a release (helm/chart-releaser-action)
       packages: write # needed for ghcr access
       id-token: write # needed for keyless signing
+      attestations: write # needed for artifact attestation
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
@@ -49,6 +50,20 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Push chart to GHCR
+        id: push-chart
         run: |
           helm package charts/atlantis
-          helm push atlantis-*.tgz oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts
+
+          # Push and capture output to get the OCI digest
+          PUSH_OUTPUT=$(helm push atlantis-*.tgz oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts 2>&1)
+                    
+          # Extract the OCI digest from helm push output
+          DIGEST=$(echo "${PUSH_OUTPUT}" | grep -o 'sha256:[a-f0-9]\{64\}')
+          echo "digest=${DIGEST}" >> $GITHUB_OUTPUT
+
+      - name: Attest chart OCI artifact
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-name: ghcr.io/${{ github.repository_owner }}/charts/atlantis
+          subject-digest: ${{ steps.push-chart.outputs.digest }}
+          push-to-registry: true

charts/atlantis/Chart.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 appVersion: v0.36.0
 description: A Helm chart for Atlantis https://www.runatlantis.io
 name: atlantis
-version: 5.20.2
+version: 5.20.3
 keywords:
   - terraform
 home: https://www.runatlantis.io