fix(ci): give the GHCR build step an id so attestation can resolve the digest

sassman · sassman · commit 00d2c85969e6 · 2026-05-06T21:44:19.000+02:00
- attestation step referenced `steps.push.outputs.digest`, but the build/push step had no `id: push`, so subject-digest resolved empty and `attest-build-provenance` errored out with "One of subject-path or subject-digest must be provided"
- adding `id: push` exposes the digest output from `docker/build-push-action@v6`
- GHCR attestations are kept (unlike Docker Hub's) because GitHub surfaces them in the package UI and they integrate with native build provenance

Signed-off-by: Sven Kanoldt &lt;sven@d34dl0ck.me&gt;
diff --git a/.github/workflows/publish-to-ghcr.yml b/.github/workflows/publish-to-ghcr.yml
@@ -41,6 +41,7 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: Build and push Docker image
+        id: push
         uses: docker/build-push-action@v6
         with:
           platforms: linux/amd64,linux/arm64
