BCR SLSA (#315)

* BCR SLSA

Implement attestation for BCR

* version

Author: tinder-maxwellelliott

.github/workflows/ci.yaml

@@ -145,6 +145,10 @@ jobs:
   deploy:
     needs: [test-jre21]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
     strategy:
       matrix:
         java: [ '11' ]
@@ -177,3 +181,11 @@ jobs:
           name: release.tar.gz
           path: archives/release.tar.gz
           if-no-files-found: error
+      - name: Attest deploy JAR provenance
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: 'bazel-bin/cli/bazel-diff_deploy.jar'
+      - name: Attest source archive provenance
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: 'archives/release.tar.gz'

.github/workflows/publish.yaml

@@ -14,13 +14,15 @@ jobs:
       tag_name: ${{ inputs.tag_name }}
       # GitHub repository which is a fork of the upstream where the Pull Request will be opened.
       registry_fork: maxwellE/bazel-central-registry
-      attest: false
+      attest: true
       author_name: Maxwell Elliott
       author_email: maxwell@elliott.now
       committer_name: Maxwell Elliott
       committer_email: maxwell@elliott.now
     permissions:
       contents: write
+      id-token: write
+      attestations: write
     secrets:
       # Necessary to push to the BCR fork, and to open a pull request against a registry
       publish_token: ${{ secrets.BCR_PUBLISH_TOKEN }}

MODULE.bazel

@@ -1,6 +1,6 @@
 module(
     name = "bazel-diff",
-    version = "17.0.1",
+    version = "17.0.2",
     compatibility_level = 0,
 )