feat(ci): Add source code tarball (#772)

Signed-off-by: Javier Rodriguez <[email protected]>

Author: javirln

.github/workflows/contracts/chainloop-vault-release.yml

@@ -42,3 +42,6 @@ materials:
   - type: ARTIFACT
     name: cli-darwin-amd64
     output: true
+  - type: ARTIFACT
+    name: source-code
+    output: true

.github/workflows/release.yaml

@@ -27,6 +27,7 @@ jobs:
       CHAINLOOP_ROBOT_ACCOUNT: ${{ secrets.CHAINLOOP_ROBOT_ACCOUNT }}
       CONTAINER_IMAGE_CP: ghcr.io/chainloop-dev/chainloop/control-plane:${{ github.ref_name }}
       CONTAINER_IMAGE_CAS: ghcr.io/chainloop-dev/chainloop/artifact-cas:${{ github.ref_name }}
+      GH_TOKEN: ${{ github.token }}
     steps:
       - name: Install Cosign
         uses: sigstore/cosign-installer@ef6a6b364bbad08abd36a5f8af60b595d12702f8 # main
@@ -112,6 +113,16 @@ jobs:
               chainloop attestation add --name ${BINARY_NAME} --value ${BINARY_PATH} || true
             done
 
+      - name: Add Attestation Artifacts (source code)
+        run: |
+          # When the trigger of the action is a release, github.ref contains refs/tags/<tag_name>
+          # Reference: https://docs.github.com/en/actions/learn-github-actions/contexts#github-context
+
+          tag=$(echo -n ${{github.ref}} | cut -d / -f3)
+          version=$(echo -n $tag | sed 's/v//g')
+          gh release download $tag -A tar.gz -D /tmp
+          chainloop attestation add --name source-code --value "/tmp/chainloop-$version.tar.gz"
+
       - name: Finish and Record Attestation
         if: ${{ success() }}
         run: |