Verify artifact attestations for dart-sass

Author: ntkme

.github/workflows/build.yml

@@ -179,6 +179,8 @@ jobs:
 
       - name: Compile
         run: bundle exec rake compile
+        env:
+          GH_TOKEN: ${{ github.token }}
 
       - name: Spec
         if: "!matrix.vm || contains(matrix.vm.run, 'linux_base') || contains(matrix.vm.run, '/proc')" # TODO: remove after https://github.com/sass/dart-sass/pull/2413

.github/workflows/release.yml

@@ -68,6 +68,8 @@ jobs:
 
       - name: Compile
         run: bundle exec rake compile ext_platform=${{ matrix.platform }}
+        env:
+          GH_TOKEN: ${{ github.token }}
 
       - name: Build
         run: rake -f -r bundler/gem_tasks build gem_platform=${{ matrix.platform }}

ext/sass/Rakefile

@@ -50,6 +50,9 @@ file 'dart-sass/sass' do
   end
 rescue StandardError
   archive = fetch(SassConfig.dart_sass)
+  if SassConfig.development? && system('gh', 'auth', 'status', '--hostname', 'github.com', %i[out err] => File::NULL)
+    sh 'gh', 'attestation', 'verify', archive, '--hostname', 'github.com', '--repo', 'sass/dart-sass'
+  end
   unarchive archive
   rm archive
 end