feat(release): add build provenance attestations (#28)

* feat(release): add build provenance attestations

- Add id-token and attestations permissions
- Generate attestation for each build artifact using actions/attest-build-provenance@v1
- Attestations provide cryptographic proof of build integrity and source

Users can verify attestations with:
  gh attestation verify <artifact> --owner RichardSlater

* fix(release): extract GitHub username from commit author email

- Use git log format '%aN <%aE>' to get both name and email
- Extract GitHub username from @users.noreply.github.com emails via sed
- Fall back to author name for non-GitHub emails
- Ensures @mentions in release notes link to correct GitHub users

Example transformations:
  'Richard Slater <123456+RichardSlater@users.noreply.github.com>' -> '@RichardSlater'
  'John Doe <john@example.com>' -> '@john Doe'

Author: RichardSlater

.github/workflows/release.yml

@@ -22,6 +22,8 @@ on:
 
 permissions:
   contents: write
+  id-token: write
+  attestations: write
 
 jobs:
   build:
@@ -156,6 +158,11 @@ jobs:
           name: ${{ matrix.name }}
           path: release/
 
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: 'release/*.tar.gz,release/*.zip'
+
   release:
     name: Create Release
     needs: build
@@ -199,16 +206,23 @@ jobs:
         run: |
           set -euo pipefail
           echo "Using release tag: $RELEASE_TAG"
+
+          # Function to format commit authors: extract GitHub username from email or use name
+          format_authors() {
+            sed -E 's/@([^<]+) <([^@]+)@users\.noreply\.github\.com>/@\2/g' | \
+            sed -E 's/@([^<]+) <[^>]+>/@\1/g'
+          }
+
           # ensure tags are available
           git fetch --tags --prune || true
           # find previous tag by creation date (exclude current)
           PREV_TAG=$(git tag --sort=-creatordate | grep -v "^${RELEASE_TAG}$" | head -n1 || true)
           if [ -n "$PREV_TAG" ]; then
             RANGE="$PREV_TAG..$RELEASE_TAG"
-            COMMITS=$(git log --pretty=format:'- %h %s — @%an' "$PREV_TAG..$RELEASE_TAG" || true)
+            COMMITS=$(git log --pretty=format:'- %h %s — @%aN <%aE>' "$PREV_TAG..$RELEASE_TAG" | format_authors || true)
           else
             RANGE="$RELEASE_TAG"
-            COMMITS=$(git log --pretty=format:'- %h %s — @%an' "$RELEASE_TAG" -n 50 || true)
+            COMMITS=$(git log --pretty=format:'- %h %s — @%aN <%aE>' "$RELEASE_TAG" -n 50 | format_authors || true)
           fi
           if [ -z "$COMMITS" ]; then
             COMMITS="(no commits found)"

README.md

@@ -1,7 +1,7 @@
 # Bromcom Timetable Formatter
 
 [![CI](https://github.com/RichardSlater/bromcom-timetable-formatter/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/RichardSlater/bromcom-timetable-formatter/actions/workflows/ci.yml)
-[![Release Workflow](https://github.com/RichardSlater/bromcom-timetable-formatter/actions/workflows/release.yml/badge.svg?branch=main)](https://github.com/RichardSlater/bromcom-timetable-formatter/actions/workflows/release.yml)
+[![Release Workflow](https://github.com/RichardSlater/bromcom-timetable-formatter/actions/workflows/release.yml/badge.svg?event=push)](https://github.com/RichardSlater/bromcom-timetable-formatter/actions/workflows/release.yml)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
 
 A small Rust workspace that parses Bromcom-produced PDF timetables and renders a printable A4 SVG-style weekly timetable, with a color-coded timetable grid and an embedded school map highlighting departments.