fix: missing token handling (#90)

Author: DerekRoberts

README.md

@@ -90,7 +90,7 @@ Only GitHub Container Registry (ghcr.io) is supported so far.
 
 # Example, Single Build
 
-Build a single subfolder with a Dockerfile in it.  Deletes old packages, keeping the last 50.  Runs on pull requests (PRs).
+Build a single subfolder with a Dockerfile in it.  Runs on pull requests (PRs).
 
 ```yaml
 builds:

action.yml

@@ -219,53 +219,28 @@ runs:
         path: sboms/
         if-no-files-found: error
 
-    - name: Check attestation permissions
-      id: check_permissions
+    - name: Attestation
+      continue-on-error: true
+      id: attestation
       if: steps.build.outputs.triggered == 'true'
-      shell: bash
-      run: |
-        # Get workflow permissions
-        PERMISSIONS=$(curl -s -H "Authorization: Bearer ${{ inputs.token }}" \
-          "https://api.github.com/repos/${{ github.repository }}/actions/workflows/${{ github.workflow }}/permissions")
-        
-        # Check for both id-token:write and attestations:write permissions
-        if echo "$PERMISSIONS" | grep -q '"id-token":[[:space:]]*"write"' && \
-           echo "$PERMISSIONS" | grep -q '"attestations":[[:space:]]*"write"'
-        then
-          echo "Both id-token:write and attestations:write permissions are available"
-          echo "has_permissions=true" >> $GITHUB_OUTPUT
-        else
-          echo "Missing required permissions. Both id-token:write and attestations:write are needed for attestation"
-        fi
-        
-    - name: Attest
       uses: actions/attest@v2.3.0
-      if: steps.build.outputs.triggered == 'true' && steps.check_permissions.outputs.has_permissions == 'true'
       with:
         subject-name: ghcr.io/${{ github.event.repository.name }}/${{ inputs.package }}
         subject-digest: ${{ steps.build_and_push.outputs.digest }}
         predicate-type: 'https://in-toto.io/attestation/release/v0.1'
         predicate: '{"purl":"pkg:oci/${{ github.event.repository.name }}/${{ inputs.package }}"}'
 
+    - name: Prompt user to fix permissions
+      if: steps.attestation.outcome == 'failure'
+      shell: bash
+      run: |
+        echo "::warning::Attestation skipped due to missing id-token:write and attestations:write permissions. Please update workflow permissions."
+
     # Action repo needs to be present for cleanup/tests
     - name: Checkout local repo to make sure action.yml is present
       if: github.repository != inputs.repository
       uses: actions/checkout@v4
 
-    # Get the digest of the built image from the build-push-action output
-    - name: Validate digest
-      env:
-        IMAGE: ghcr.io/${{ steps.vars.outputs.repo_lower }}/${{ steps.vars.outputs.package_lower }}@${{ steps.build_and_push.outputs.digest }}
-      id: digest
-      if: steps.build.outputs.triggered == 'true'
-      shell: bash
-      run: |
-        # Validate digest using docker manifest inspect (faster than docker pull)
-        if ! docker manifest inspect "$IMAGE" > /dev/null; then
-          echo "Error: Failed to inspect manifest for $IMAGE" >&2
-          exit 1
-        fi
-
     - name: Print summary outputs
       shell: bash
       run: |