Sign tejolote's provenance attestation

Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@carabiner.dev>

Author: puerco

.github/workflows/release.yml

@@ -60,8 +60,8 @@ jobs:
     runs-on: ubuntu-latest
 
     permissions:
-      id-token: write
-      contents: write
+      id-token: write # To sign the attestation
+      contents: write # To push to the release
 
     needs:
       - release
@@ -81,19 +81,19 @@ jobs:
           go-version-file: go.mod
           cache: false
 
+      - name: Setup bnd
+        uses: carabiner-dev/actions/install/bnd@440c76def32d40be101b68d1f6a6b284b79aa74c # v1.1.2
+
       - name: Build tejolote from source
         run: go build -o "${{ runner.temp }}/tejolote" ./cmd/tejolote/
 
-      - run: |
-          "${{ runner.temp }}/tejolote" attest --artifacts github://kubernetes-sigs/tejolote/${{ steps.tag.outputs.tag_name }} github://kubernetes-sigs/tejolote/"${GITHUB_RUN_ID}" --output tejolote.intoto.json --sign
+      - name: Generate and sign provenance
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          "${{ runner.temp }}/tejolote" attest \
+            --artifacts github://kubernetes-sigs/tejolote/${{ steps.tag.outputs.tag_name }} \
+            github://kubernetes-sigs/tejolote/"${GITHUB_RUN_ID}" --output provenance.json
 
-      - name: Release
-        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
-        with:
-          files: tejolote.intoto.json
-          tag_name: "${{ steps.tag.outputs.tag_name }}"
-          token: ${{ secrets.GITHUB_TOKEN }}
-        env:
-          GITHUB_REPOSITORY: kubernetes-sigs/tejolote
+          bnd statement provenance.json -o tejolote-${{ steps.tag.outputs.tag_name }}.provenance.json \
+          gh release upload ${{ steps.tag.outputs.tag_name }} tejolote-${{ steps.tag.outputs.tag_name }}.provenance.json