chore(ci): add cosign signing and provenance attestation to multi-OS release workflow

.github/workflows/multiOSReleases.yml

@@ -527,7 +527,9 @@ jobs:
     needs: [determine-matrix, build, build-jars]
     runs-on: ubuntu-latest
     permissions:
+      attestations: write
       contents: write
+      id-token: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
@@ -561,6 +563,82 @@ jobs:
       - name: Display structure of downloaded files
         run: ls -R ./artifacts
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3.7.0
+
+      - name: Sign release artifacts with cosign
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        run: |
+          while IFS= read -r -d '' file; do
+            echo "Signing ${file}"
+            cosign sign-blob --yes \
+              --bundle "${file}.sigstore.json" \
+              "${file}"
+          done < <(find ./artifacts -type f \( -name "*.jar" -o -name "*.msi" -o -name "*.dmg" -o -name "*.deb" -o -name "*.AppImage" \) -print0)
+
+      - name: Generate provenance statement
+        run: |
+          python - <<'PY'
+          import hashlib
+          import json
+          from pathlib import Path
+
+          artifacts_dir = Path("artifacts")
+          patterns = (".jar", ".msi", ".dmg", ".deb", ".AppImage")
+          subjects = []
+          for path in artifacts_dir.rglob("*"):
+            if path.is_file() and path.suffix in patterns:
+              digest = hashlib.sha256(path.read_bytes()).hexdigest()
+              subjects.append(
+                {
+                  "name": str(path.relative_to(artifacts_dir)),
+                  "digest": {"sha256": digest},
+                }
+              )
+
+          if not subjects:
+            raise SystemExit("No artifacts found for provenance statement.")
+
+          statement = {
+            "_type": "https://in-toto.io/Statement/v0.1",
+            "subject": subjects,
+            "predicateType": "https://slsa.dev/provenance/v1",
+            "predicate": {
+              "builder": {
+                "id": "https://github.com/${{ github.repository }}/.github/workflows/multiOSReleases.yml@${{ github.sha }}",
+              },
+              "buildType": "https://github.com/actions/runner/github-hosted",
+              "invocation": {
+                "configSource": {
+                  "uri": "https://github.com/${{ github.repository }}",
+                  "digest": {"sha1": "${{ github.sha }}"},
+                  "entryPoint": ".github/workflows/multiOSReleases.yml",
+                },
+                "parameters": {
+                  "workflow": "${{ github.workflow }}",
+                  "runId": "${{ github.run_id }}",
+                },
+              },
+              "metadata": {"buildInvocationId": "${{ github.run_id }}"},
+            },
+          }
+
+          provenance_path = artifacts_dir / "provenance.intoto.jsonl"
+          provenance_path.write_text(f"{json.dumps(statement)}\n", encoding="utf-8")
+          print(f"Wrote provenance to {provenance_path}")
+          PY
+
+      - name: Attest release artifacts
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: |
+            ./artifacts/**/*.jar
+            ./artifacts/**/*.msi
+            ./artifacts/**/*.dmg
+            ./artifacts/**/*.deb
+            ./artifacts/**/*.AppImage
+
       - name: Upload binaries to Release
         uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
         with:
@@ -572,5 +650,7 @@ jobs:
             ./artifacts/**/*.dmg
             ./artifacts/**/*.deb
             ./artifacts/**/*.AppImage
+            ./artifacts/**/*.sigstore.json
+            ./artifacts/**/*.intoto.jsonl
           draft: false
           prerelease: false