Is your feature request related to a problem? Please describe.
Bazel recommends publishing source code archives as release assets – and Bazel Central Registry verifies stability by checking for …/releases/download/… in GitHub URLs. Using gh release download and gh release upload, GitHub Actions can automate this trivially, but OpenSSF punishes projects whose release assets lack signature and provenance.

Describe the solution you'd like
SLSA should provide a workflow for publishing source code archives as release assets with signature and provenance. Ideally, any project's release workflow could include a job specifying only permissions and uses keys and get .zip, .zip.intoto.jsonl, .tar.gz and .tar.gz.intoto.jsonl files attached to the release.

Describe alternatives you've considered
Letting N different projects implement this themselves in approximately N different ways. ;)

Additional context
N/A