ci: don't block releases on attestation step + grant scope on release path

- release.yml's publish-docker job now grants attestations:write so the
  reusable-workflow chain (release.yml -> publish.yml -> publish-webapp.yml)
  carries the scope all the way to actions/attest-build-provenance.
- continue-on-error on the attestation step itself: image is already
  pushed by the time this runs, so a Sigstore outage or GHCR referrer
  hiccup shouldn't fail the workflow and block the downstream publish-helm
  job. Real config errors still surface as a step warning.

Author: myftija

.github/workflows/publish-webapp.yml

@@ -115,6 +115,10 @@ jobs:
             sentry_auth_token=${{ secrets.SENTRY_AUTH_TOKEN }}
 
       - name: 🪪 Attest build provenance
+        # Image is already pushed by this point — don't fail releases (and the
+        # downstream publish-helm job) on a Sigstore/GHCR-referrer hiccup. Real
+        # config errors still surface as a step warning in the workflow run.
+        continue-on-error: true
         uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
         with:
           subject-name: ghcr.io/triggerdotdev/trigger.dev

.github/workflows/release.yml

@@ -169,6 +169,7 @@ jobs:
       contents: read
       packages: write
       id-token: write
+      attestations: write
     uses: ./.github/workflows/publish.yml
     secrets:
       DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}