Add release attestations (#15020)

Author: trask

.github/workflows/release.yml

@@ -21,6 +21,8 @@ jobs:
   release:
     permissions:
       contents: write # for creating the release
+      id-token: write # for signing artifacts with Sigstore
+      attestations: write # for uploading attestations
     runs-on: ubuntu-latest
     needs:
       - common
@@ -170,13 +172,22 @@ jobs:
           .github/scripts/generate-release-contributors.sh v$PRIOR_VERSION >> /tmp/release-notes.txt
           fi
 
+      - name: Simplify paths for attaching
+        run: |
+          cp javaagent/build/libs/opentelemetry-javaagent-${VERSION}.jar opentelemetry-javaagent.jar
+          cp javaagent/build/libs/opentelemetry-javaagent-${VERSION}.jar.asc opentelemetry-javaagent.jar.asc
+
+      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+        with:
+          subject-path: |
+            opentelemetry-javaagent.jar
+            opentelemetry-java-instrumentation-SBOM.zip
+
       - id: create-github-release
         name: Create GitHub release
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          cp javaagent/build/libs/opentelemetry-javaagent-${VERSION}.jar opentelemetry-javaagent.jar
-          cp javaagent/build/libs/opentelemetry-javaagent-${VERSION}.jar.asc opentelemetry-javaagent.jar.asc
           gh release create --target $GITHUB_REF_NAME \
                             --title "Version $VERSION" \
                             --notes-file /tmp/release-notes.txt \

RELEASING.md

@@ -65,8 +65,10 @@ and deadlocks.
 - Run the [Release workflow](https://github.com/open-telemetry/opentelemetry-java-instrumentation/actions/workflows/release.yml).
   - Press the "Run workflow" button, then select the release branch from the dropdown list,
     e.g. `release/v1.9.x`, and click the "Run workflow" button below that.
-  - This workflow will publish the artifacts to maven central and will publish a GitHub release
-    with release notes based on the change log and with the javaagent jar attached.
+  - This workflow will:
+    - Publish the artifacts to Maven Central
+    - Generate [GitHub Artifact Attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations) for the Java agent jar and SBOM bundle
+    - Publish a GitHub release with release notes, Java agent jar, and SBOM bundle
   - Review and merge the pull request that it creates for updating the apidiff baseline version
     to the newly released version (note that this pull request won't be made until after the release
     is available in maven central).