Upload Release Attestations

[maennchen]

Adds attestations to the releases. This makes it simpler for consumers to check the build provenance of the uploaded release artifacts.

This will also improve the OpenSSF Scorecard Score for Signed Releases from 0 to 8 once the 10 most recent release artifacts are signed.

[maennchen]

I was checking the spec one more time to be sure everything is as it should be. I think I misinterpreted it and the files should be of type .intoto.jsonl and not .sigstore since they offer SLSA provenance.

I'll push an update.

[maennchen]

Update: It was correct. The file itself is of type application/vnd.dev.sigstore.bundle.v0.3+json (.sigstore file extension) and contains a application/vnd.in-toto+json (.intoto.jsonl file extension)

[josevalim]

💚 💙 💜 💛 ❤️

[wojtekmach]

$ gh attestation verify --repo elixir-lang/elixir <(curl -fsSL https://github.com/elixir-lang/elixir/releases/download/main-latest/elixir-otp-27.zip)
Loaded digest sha256:2778547ac364a06e1d48c11ba373f2d5c3c610a258bcb517be5385608e61b039 for file:///dev/fd/11
Loaded 1 attestation from GitHub API
✓ Verification succeeded!

sha256:2778547ac364a06e1d48c11ba373f2d5c3c610a258bcb517be5385608e61b039 was attested by:
REPO                PREDICATE_TYPE                  WORKFLOW
elixir-lang/elixir  https://slsa.dev/provenance/v1  .github/workflows/release.yml@refs/heads/main

Nice, thanks @maennchen!

[maennchen]

@wojtekmach That already worked before. I just made sure to add it to the release files. That way you can also download the attestation and check the files using general purpose tools not provided by GitHub.