chore(ci): add cosign signing and provenance attestation to multi-OS release workflow

.github/workflows/multiOSReleases.yml

@@ -527,7 +527,9 @@ jobs:
     needs: [determine-matrix, build, build-jars]
     runs-on: ubuntu-latest
     permissions:
+      attestations: write
       contents: write
+      id-token: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
@@ -561,6 +563,30 @@ jobs:
       - name: Display structure of downloaded files
         run: ls -R ./artifacts
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+
+      - name: Sign release artifacts with cosign
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        run: |
+          while IFS= read -r -d '' file; do
+            echo "Signing ${file}"
+            cosign sign-blob --yes \
+              --bundle "${file}.sigstore.json" \
+              "${file}"
+          done < <(find ./artifacts -type f \( -name "*.jar" -o -name "*.msi" -o -name "*.dmg" -o -name "*.deb" -o -name "*.AppImage" \) -print0)
+
+      - name: Attest release artifacts
+        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
+        with:
+          subject-path: |
+            ./artifacts/**/*.jar
+            ./artifacts/**/*.msi
+            ./artifacts/**/*.dmg
+            ./artifacts/**/*.deb
+            ./artifacts/**/*.AppImage
+
       - name: Upload binaries to Release
         uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
         with:
@@ -572,5 +598,7 @@ jobs:
             ./artifacts/**/*.dmg
             ./artifacts/**/*.deb
             ./artifacts/**/*.AppImage
+            ./artifacts/**/*.sigstore.json
+            ./artifacts/**/*.intoto.jsonl
           draft: false
           prerelease: false