From a0ebd977fcc19734b69beb062c7cb944b1b0dd63 Mon Sep 17 00:00:00 2001
From: Trask Stalnaker <trask.stalnaker@gmail.com>
Date: Thu, 16 Oct 2025 12:47:29 -0700
Subject: [PATCH 1/2] Add release attestations

---
 .github/workflows/release.yml | 15 ++++++++++++---
 RELEASING.md                  |  6 ++++--
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 93214bb79c29..98cf34bea415 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -21,6 +21,8 @@ jobs:
   release:
     permissions:
       contents: write # for creating the release
+      id-token: write # for signing artifacts with Sigstore
+      attestations: write # for uploading attestations
     runs-on: ubuntu-latest
     needs:
       - common
@@ -170,19 +172,26 @@ jobs:
           .github/scripts/generate-release-contributors.sh v$PRIOR_VERSION >> /tmp/release-notes.txt
           fi
 
+      - name: Simplify jar path for attesting and attaching
+        run: |
+          cp javaagent/build/libs/opentelemetry-javaagent-${VERSION}.jar opentelemetry-javaagent.jar
+
+      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+        with:
+          subject-path: |
+            opentelemetry-javaagent.jar
+            opentelemetry-java-instrumentation-SBOM.zip
+
       - id: create-github-release
         name: Create GitHub release
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          cp javaagent/build/libs/opentelemetry-javaagent-${VERSION}.jar opentelemetry-javaagent.jar
-          cp javaagent/build/libs/opentelemetry-javaagent-${VERSION}.jar.asc opentelemetry-javaagent.jar.asc
           gh release create --target $GITHUB_REF_NAME \
                             --title "Version $VERSION" \
                             --notes-file /tmp/release-notes.txt \
                             v$VERSION \
                             opentelemetry-javaagent.jar \
-                            opentelemetry-javaagent.jar.asc \
                             opentelemetry-java-instrumentation-SBOM.zip
 
           # these are used as job outputs
diff --git a/RELEASING.md b/RELEASING.md
index 0cc432ae481b..62e62372b6a5 100644
--- a/RELEASING.md
+++ b/RELEASING.md
@@ -65,8 +65,10 @@ and deadlocks.
 - Run the [Release workflow](https://github.com/open-telemetry/opentelemetry-java-instrumentation/actions/workflows/release.yml).
   - Press the "Run workflow" button, then select the release branch from the dropdown list,
     e.g. `release/v1.9.x`, and click the "Run workflow" button below that.
-  - This workflow will publish the artifacts to maven central and will publish a GitHub release
-    with release notes based on the change log and with the javaagent jar attached.
+  - This workflow will:
+    - Publish the artifacts to Maven Central
+    - Generate [GitHub Artifact Attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations) for the Java agent jar and SBOM bundle
+    - Publish a GitHub release with release notes, Java agent jar, and SBOM bundle
   - Review and merge the pull request that it creates for updating the apidiff baseline version
     to the newly released version (note that this pull request won't be made until after the release
     is available in maven central).

From fa0d1bc4ded585426c3d7d64898a9b88eed06e19 Mon Sep 17 00:00:00 2001
From: Trask Stalnaker <trask.stalnaker@gmail.com>
Date: Fri, 17 Oct 2025 10:14:14 -0700
Subject: [PATCH 2/2] keep asc

---
 .github/workflows/release.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 98cf34bea415..b3d58dc948ae 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -172,9 +172,10 @@ jobs:
           .github/scripts/generate-release-contributors.sh v$PRIOR_VERSION >> /tmp/release-notes.txt
           fi
 
-      - name: Simplify jar path for attesting and attaching
+      - name: Simplify paths for attaching
         run: |
           cp javaagent/build/libs/opentelemetry-javaagent-${VERSION}.jar opentelemetry-javaagent.jar
+          cp javaagent/build/libs/opentelemetry-javaagent-${VERSION}.jar.asc opentelemetry-javaagent.jar.asc
 
       - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
         with:
@@ -192,6 +193,7 @@ jobs:
                             --notes-file /tmp/release-notes.txt \
                             v$VERSION \
                             opentelemetry-javaagent.jar \
+                            opentelemetry-javaagent.jar.asc \
                             opentelemetry-java-instrumentation-SBOM.zip
 
           # these are used as job outputs