Port workflow updates

This includes two mechanisms that should impair any theoretical ability
on my part to modify a GitHub release without detection:

  1. Printing the SHA256SUMS as they're generated, so you can see them
     in the workflow output and compare them with the release
     attachment.

  2. Using GitHub's formal "Attestations" feature to sign the release
     archives with a Microsoft-controlled PKI that _should_ only be
     accessible in the context of a GitHub Actions workflow. There's a
     lot I don't love about this solution on principle, but it's cheap
     enough to add and arguably stronger since the attestations are
     stored in a public immutable log. More interestingly, if you do use
     the GitHub CLI to verify a tarball, it can link you to the specific
     workflow run that signed it without you having to dig through
     multiple levels of links.

I wondered if I should bother to GPG-sign the SHA256SUMS file, but that
wouldn't provide the guarantee I mentioned above, since I control that
key and could theoretically modify the signature along with anything
else.

Author: featherbread

.github/workflows/build-release-archives.yml

@@ -65,10 +65,14 @@ jobs:
         path: target.tar.gz
 
   assemble-archives:
-    needs: [build-doc, build-binaries-unix]
+    needs:
+    - build-doc
+    - build-binaries-unix
     runs-on: ubuntu-24.04
     permissions:
       contents: write
+      id-token: write
+      attestations: write
     steps:
     - name: Checkout
       uses: actions/checkout@v4
@@ -80,11 +84,15 @@ jobs:
           tar -xvf $targetdir/target.tar.gz
           make dist/xt-${targetdir#./target-}.tar.gz
         done
-        (cd dist && sha256sum xt-*.tar.gz > SHA256SUMS)
+        (cd dist && sha256sum xt-*.tar.gz | tee SHA256SUMS)
     - name: Upload Release Artifacts
       uses: actions/upload-artifact@v4
       with:
         name: release
         path: |
           dist/xt-*.tar.gz
           dist/SHA256SUMS
+    - name: Create GitHub Attestation
+      uses: actions/attest-build-provenance@v2
+      with:
+        subject-checksums: dist/SHA256SUMS

.github/workflows/release-process.yml

@@ -57,6 +57,8 @@ jobs:
     uses: ./.github/workflows/build-release-archives.yml
     permissions:
       contents: write
+      id-token: write
+      attestations: write
 
   merge-release:
     needs:
@@ -96,16 +98,16 @@ jobs:
     # outside of the GitHub workflow.
     #
     # THIS STEP IS THE POINT OF NO RETURN.
-    # IT IS THE ATOMIC MOMENT AT WHICH THE RELEASE OCCURS AND CANNOT BE REVOKED.
+    # IT IS THE ATOMIC MOMENT AT WHICH THE RELEASE OCCURS,
+    # AFTER WHICH IT CANNOT BE REVOKED.
     #
     # Any failures after this point MUST be possible to recover from manually.
     # For example, the GitHub release can be cut by hand using archives uploaded
     # to the workflow run, and the crate can be published from a local checkout
     # of the tag.
     - name: Push Release
       if: ${{ github.ref == 'refs/heads/start-release' }}
-      run: |
-        git push --atomic origin main "$RELEASE_TAG" :"$RELEASE_BRANCH"
+      run: git push --atomic origin main "$RELEASE_TAG" :"$RELEASE_BRANCH"
 
   create-github-release:
     if: ${{ github.ref == 'refs/heads/start-release' }}