[Infra] Attest DLLs with GitHub Attestations (#6646)

Author: martincostello

.github/workflows/publish-packages-1.0.yml

@@ -28,6 +28,7 @@ jobs:
   build-pack-publish:
     runs-on: windows-latest
     permissions:
+      attestations: write
       contents: read
       id-token: write
     env:
@@ -75,6 +76,12 @@ jobs:
             }
         }
 
+    - name: Create GitHub attestations for DLLs
+      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+      with:
+        subject-path: |
+          ./artifacts/bin/*/release_*/OpenTelemetry*.dll
+
     - name: dotnet pack
       shell: pwsh
       env:

README.md

@@ -216,6 +216,23 @@ cosign verify-blob \
 For more verification options please refer to the [cosign
 documentation](https://github.com/sigstore/cosign/blob/main/doc/cosign_verify-blob.md).
 
+### Attestation
+
+Starting with the `1.14.0` release the DLLs included in the packages pushed to
+NuGet are attested using [GitHub Artifact attestations](https://docs.github.com/actions/concepts/security/artifact-attestations).
+
+To verify the attestation of a DLL inside a NuGet package use the [GitHub CLI](https://cli.github.com/):
+
+```bash
+gh attestation verify --owner open-telemetry .\OpenTelemetry.dll
+```
+
+> [!NOTE]
+> A successful verification outputs `Verification succeeded!`.
+
+For more verification options please refer to the [`gh attestation verify`
+documentation](https://cli.github.com/manual/gh_attestation_verify).
+
 ## Contributing
 
 For information about contributing to the project see: