ci: update release workflows; add artifact attestation & SLSA

Author: Nicconike

.github/workflows/coverage.yml

@@ -5,6 +5,7 @@ on:
         branches: [master]
         paths:
             - ".github/workflows/coverage.yml"
+            - "api/*.py"
             - "tests/*.py"
             - "sonar-project.properties"
     pull_request:

.github/workflows/release.yml

@@ -8,7 +8,6 @@ on:
         paths:
             - ".github/workflows/release.yml"
             - "api/*.py"
-            - "templates/*.j2"
             - "pyproject.toml"
             - "Dockerfile"
 
@@ -29,6 +28,7 @@ jobs:
         permissions:
             id-token: write
             contents: write
+            attestations: write
         environment:
             name: pypi
             url: https://pypi.org/project/Wakatime-Leaderboards/
@@ -89,6 +89,13 @@ jobs:
                   pip install build==1.3.0
                   python -m build
 
+            - name: Generate Artifact Attestation
+              uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+              with:
+                  subject-name: waka-leaderboards-python-dist
+                  subject-path: dist/*
+                  push-to-registry: true
+
             - name: Publish to PyPI
               uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
               with:
@@ -133,7 +140,7 @@ jobs:
               if: github.event_name != 'pull_request'
               uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
               with:
-                  cosign-release: "v2.6.0"
+                  cosign-release: "v3.0.1"
 
             - name: Setup Docker Buildx
               uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
@@ -184,12 +191,20 @@ jobs:
                   DIGEST: ${{ steps.push.outputs.digest }}
               run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
 
-            - name: Generate Artifact Attestation
-              uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+            # - name: Generate Artifact Attestation
+            #   uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+            #   with:
+            #       subject-name: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+            #       subject-digest: ${{ steps.push.outputs.digest }}
+            #       push-to-registry: true
+
+            - name: Generate SLSA3 Provenance
+              uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
               with:
-                  subject-name: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
-                  subject-digest: ${{ steps.push.outputs.digest }}
-                  push-to-registry: true
+                  image: ${{ needs.push.outputs.image }}
+                  digest: ${{ needs.push.outputs.digest }}
+                  registry-username: ${{ github.actor }}
+                  registry-password: ${{ secrets.GITHUB_TOKEN }}
 
             - name: Docker Scout Scan
               uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2

.github/workflows/scorecard.yml .github/workflows/scorecards.yml.github/workflows/scorecard.yml renamed to .github/workflows/scorecards.yml

@@ -23,8 +23,13 @@ jobs:
             github.actor != 'protected-auto-commits[bot]'
         runs-on: ubuntu-latest
         steps:
+            - name: Harden the runner
+              uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+              with:
+                  egress-policy: audit
+
             - name: GitHub App Token
-              uses: actions/create-github-app-token@v2
+              uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
               id: app-token
               with:
                   app-id: ${{ secrets.GH_APP_ID }}