Add SLSA build provenance attestations to release artifacts #5994
Description
Please explain the motivation behind the feature request.
Goose binaries are downloaded and executed in CI/CD environments (e.g., setup-goose-action). Currently, release artifacts have no cryptographic verification mechanism. Consumers cannot verify that binaries were built by block/goose's GitHub Actions. GitHub Artifact Attestations (GA since May 2024) provide zero-config SLSA v1.0 provenance.
Describe the solution you'd like
Add SLSA provenance attestations to release binaries using GitHub's attest-build-provenance action.
permissions:
id-token: write
attestations: write
- uses: actions/attest-build-provenance@v3
with:
subject-path: 'path/to/binary'Consumers verify with:
gh attestation verify goose-linux-x86_64 -R block/gooseDescribe alternatives you've considered
- Manual checksums (SHA256 files) - requires key management, no provenance
- Cosign signing - more complex setup than GitHub's built-in attestations
- No verification - current state
Additional context
-
I have verified this does not duplicate an existing feature request