Generate provenance #138
Description
@arjundashrath slight change of plans.
Instead of inspecting npm publish let us first inspect docker build and publish event and generate provenance for docker image.
We can pilot it with this workflow: https://github.com/madnuttah/unbound-docker/blob/c8a2b7a23028f22028ec0b4bfea28bb3441a090c/.github/workflows/build-unbound.yaml#L53 and potentially this one: https://github.com/Januson/docker-image-zola/blob/aec648b4ec0106667a239ba682d77be900bcc43f/.github/workflows/release.yml#L68
harden-runner should push the provenance record automatically to the docker registry.
We already monitor docker images. You need to identify the right image that was created, generate provenance, and push it.