Add step to tag image as latest-validated after validation

This commit introduces a new job in the GitHub Actions workflow to tag the image as `latest-validated`
if it passes the validation. This ensures that only validated images receive this
tag, providing a safer option than using the `latest` tag, which may include failed validated  images.

resloves: ec-63
signed off by: Sean Conroy [email protected]

.github/workflows/release.yaml

@@ -83,12 +83,33 @@ jobs:
       registry-password: ${{ secrets.GITHUB_TOKEN }}
 
   validate:
-    needs: provenance
+    needs: [provenance, build]
     runs-on: ubuntu-latest
     steps:
       - name: Validate image
         uses: enterprise-contract/action-validate-image@latest
         with:
-          image: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_REPO }}:${{ env.DIGEST }}
+          image: ${{ needs.build.outputs.image }}@${{ needs.build.outputs.digest }}
           identity: https:\/\/github\.com\/(slsa-framework\/slsa-github-generator|${{ github.repository_owner }}\/${{ github.event.repository.name }})\/
           issuer: https://token.actions.githubusercontent.com
+
+  Add-Tag-Validate:
+    runs-on: ubuntu-latest
+    needs: [validate, build]
+    steps:  
+      # needed to login into ghcr.io and push the tag
+      - name: Log in to ghcr
+        uses: redhat-actions/podman-login@9184318aae1ee5034fbfbacc0388acf12669171f # v1
+        with:
+          registry: ${{ env.IMAGE_REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+
+      - name: Pull image using Buildah
+        run: buildah pull ${{ needs.build.outputs.image }}@${{ needs.build.outputs.digest }}
+
+      - name: Tag image with latest-validated
+        run: buildah tag ${{ needs.build.outputs.image }}@${{ needs.build.outputs.digest }} ${{ needs.build.outputs.image }}:latest-validated
+
+      - name: Push latest-validated image tag 
+        run: buildah push ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_REPO }}:latest-validated