Use attestation instead of signature (#1728)

Author: trask

.github/workflows/release.yml

@@ -17,6 +17,8 @@ jobs:
   release:
     permissions:
       contents: write # for creating the release
+      id-token: write # for signing artifacts with Sigstore
+      attestations: write # for uploading attestations
     runs-on: ubuntu-latest
     needs:
       - common
@@ -152,16 +154,24 @@ jobs:
           .github/scripts/generate-release-contributors.sh v$PRIOR_VERSION >> /tmp/release-notes.txt
           fi
 
-      - id: create-github-release
-        name: Create GitHub release
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Simplify paths for attaching
         run: |
           cp jmx-metrics/build/libs/opentelemetry-jmx-metrics-$VERSION-alpha.jar opentelemetry-jmx-metrics.jar
           cp jmx-metrics/build/libs/opentelemetry-jmx-metrics-$VERSION-alpha.jar.asc opentelemetry-jmx-metrics.jar.asc
           cp jmx-scraper/build/libs/opentelemetry-jmx-scraper-$VERSION-alpha.jar opentelemetry-jmx-scraper.jar
           cp jmx-scraper/build/libs/opentelemetry-jmx-scraper-$VERSION-alpha.jar.asc opentelemetry-jmx-scraper.jar.asc
-          
+
+      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+        with:
+          subject-path: |
+            opentelemetry-jmx-metrics.jar
+            opentelemetry-jmx-scraper.jar
+
+      - id: create-github-release
+        name: Create GitHub release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
           gh release create --target $GITHUB_REF_NAME \
                             --title "Version $VERSION" \
                             --notes-file /tmp/release-notes.txt \

RELEASING.md

@@ -58,8 +58,10 @@ and deadlocks.
 * Run the [Release workflow](https://github.com/open-telemetry/opentelemetry-java-contrib/actions/workflows/release.yml).
   * Press the "Run workflow" button, then select the release branch from the dropdown list,
     e.g. `release/v1.9.x`, and click the "Run workflow" button below that.
-  * This workflow will publish the artifacts to maven central and will publish a GitHub release
-    with release notes based on the change log and with the jmx metrics jar attached.
+  * This workflow will:
+    * Publish the artifacts to Maven Central
+    * Generate [GitHub Artifact Attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations) for the JMX Metrics and JMX Scraper jars
+    * Publish a GitHub release with release notes based on the change log and with the jars attached
   * Review and merge the pull request that it creates for updating the change log in main
     (note that if this is not a patch release then the change log on main may already be up-to-date,
     in which case no pull request will be created).