cleanup: update files, add release workflow

Signed-off-by: K.B.Dharun Krishna <kbdharunkrishna@gmail.com>

Author: kbdharun

.gitattributes

@@ -0,0 +1,2 @@
+# Ref: https://git-scm.com/docs/gitattributes
+* text=auto eol=lf

.github/workflows/main.yml .github/workflows/build.yml.github/workflows/main.yml renamed to .github/workflows/build.yml

@@ -1,12 +1,13 @@
-name: build
+name: Build
 
 on:
   push:
     branches: [ "main" ]
+  pull_request:
 
 jobs:
   build:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     container:
       image: ghcr.io/vanilla-os/pico:main
       volumes:
@@ -25,16 +26,29 @@ jobs:
     - name: Install needed packages
       run: apt update && apt install dpkg-dev build-essential debhelper librsvg2-bin optipng -y
 
-    - name: Build debian package
+    - name: Build Debian package
       run: |
         dpkg-buildpackage --no-sign
         mv ../*.deb ../desktop-base.deb
 
-    - uses: softprops/action-gh-release@v1
+    - name: Calculate and Save Checksums
+      run: |
+        sha256sum /__w/desktop-base/desktop-base.deb >> checksums.txt
+  
+    - uses: actions/upload-artifact@v4
+      with:
+        name: desktop-base
+        path: |
+            /__w/desktop-base/desktop-base.deb
+            checksums.txt
+
+    - uses: softprops/action-gh-release@v2
+      if: github.ref == 'refs/heads/main'
       with:
         token: "${{ secrets.GITHUB_TOKEN }}"
         tag_name: "continuous"
         prerelease: true
         name: "Continuous Build"
         files: |
           /__w/desktop-base/desktop-base.deb
+          checksums.txt

.github/workflows/release.yml

@@ -0,0 +1,75 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - '*'
+
+jobs:
+  build-artifacts:
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/vanilla-os/pico:main
+      volumes:
+        - /proc:/proc
+        - /:/run/host
+      options: --privileged -it
+    permissions:
+      contents: read
+
+    steps:
+        - uses: actions/checkout@v4
+    
+        - name: De-bloat stock image
+          run: |
+            rm -r /run/host/usr/share/dotnet
+            rm -r /run/host${{ runner.tool_cache }}
+    
+        - name: Install needed packages
+          run: apt update && apt install dpkg-dev build-essential debhelper librsvg2-bin optipng -y
+    
+        - name: Build Debian package
+          run: |
+            dpkg-buildpackage --no-sign
+            mv ../*.deb ../desktop-base.deb
+    
+        - name: Calculate and Save Checksums
+          run: |
+            sha256sum /__w/desktop-base/desktop-base.deb >> checksums.txt
+      
+        - uses: actions/upload-artifact@v4
+          with:
+            name: desktop-base
+            path: |
+                /__w/desktop-base/desktop-base.deb
+                checksums.txt
+
+  release:
+    runs-on: ubuntu-latest
+    needs: build-artifacts
+    permissions:
+      contents: write # to create and upload assets to releases
+      attestations: write # to upload assets attestation for build provenance
+      id-token: write # grant additional permission to attestation action to mint the OIDC token permission
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Download Artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: desktop-base
+
+      - name: Create Release
+        env:
+            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh release create "${{ github.ref_name }}" --generate-notes *.deb desktop-base/checksums.txt
+      
+      - name: Attest Release Files
+        id: attest
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: '*.deb, desktop-base/*.txt'