ci: Upgrade release pipeline actions

Author: foxcpp

.github/workflows/release.yml

@@ -4,6 +4,11 @@ on:
   push:
     tags: [ "v*" ]
 
+permissions:
+  id-token: write
+  contents: read
+  attestations: write
+
 jobs:
   artifact-builder:
     name: "Prepare release artifacts"
@@ -45,33 +50,37 @@ jobs:
           name: maddy-binary.tar.zst
           path: '~/maddy-x86_64-linux-musl.tar.zst'
           if-no-files-found: error
+      - name: "Generate artifact attestation"
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: '~/maddy-x86_64-linux-musl.tar.zst'
   docker-builder:
     name: "Build & push Docker image"
     if: github.ref_type == 'tag'
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: "Set up QEMU"
         uses: docker/setup-qemu-action@v1
         with:
           platforms: arm64
       - name: "Set up Docker Buildx"
         id: buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v3
       - name: "Login to Docker Hub"
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
       - name: "Login to GitHub Container Registry"
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           registry: "ghcr.io"
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: "Generate container metadata"
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         id: meta
         with:
           images: |
@@ -85,11 +94,19 @@ jobs:
             org.opencontainers.image.documentation=https://maddy.email/docker/
             org.opencontainers.image.url=https://maddy.email
       - name: "Build and push"
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v6
+        id: docker
         with:
           context: .
           platforms: linux/amd64,linux/arm64
           file: Dockerfile
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+      - name: "Generate container attestation"
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ghcr.io/foxcpp/maddy
+          subject-digest: ${{ steps.docker.outputs.digest }}
+          push-to-registry: true
+