UID2-6764: enable SLSA provenance attestation

.github/workflows/release-docker-image.yaml

@@ -45,6 +45,14 @@ on:
 
 jobs:
   Image:
+    permissions:
+      contents: write
+      security-events: write
+      packages: write
+      pull-requests: write
+      id-token: write
+      attestations: write
+      artifact-metadata: write
     uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-publish-java-to-docker-versioned.yaml@v3
     with: 
       release_type: ${{ inputs.release_type }}

README.md

@@ -40,3 +40,20 @@ mvn clean compile exec:java -Dvertx-config-path=conf/local-config.json
 mvn clean compile exec:java -Dvertx-config-path=conf/integ-config.json
 ```
 
+## Verifying image provenance
+
+Every non-snapshot image published by this repo's release workflow ships with a [SLSA v1.0](https://slsa.dev/spec/v1.0/) build-provenance attestation, signed by GitHub's [Sigstore](https://www.sigstore.dev/) instance via the OIDC identity of the [shared publish workflow](https://github.com/IABTechLab/uid2-shared-actions). The attestation cryptographically binds the image digest to the source commit, the signing workflow, and the runner that built it.
+
+To verify an image, install [`gh`](https://cli.github.com/) (≥ 2.49) and run:
+
+```bash
+gh attestation verify \
+  oci://ghcr.io/iabtechlab/uid2-optout:<tag> \
+  --owner IABTechLab \
+  --signer-repo IABTechLab/uid2-shared-actions
+```
+
+A successful run prints `✓ Verification succeeded!` followed by the SLSA provenance fields — including `sourceRepositoryDigest` (the source commit), `workflow.path` (the signing workflow), and the runner identity.
+
+Snapshot tags (`-SNAPSHOT` suffix) deliberately skip attestation. `gh attestation verify` returns `no attestations found` against a snapshot — that's expected.
+