chore(actions): Add doc how to verify GitHub Attestations with GitHub cli and verify release artifacts with Cosign

[ViacheslavKudinov]

Resolves #NaN

---

Before the change?

• There is no doc how to verify attestations

After the change?

• Add how to use verification of attestations with GitHub CLI
  https://docs.github.com/en/actions/how-tos/secure-your-work/use-artifact-attestations/use-artifact-attestations
• Add Cosign verification

Pull request checklist

• Schema migrations have been created if needed (example)
• Tests for the changes have been added (for bug fixes / features)
• Docs have been reviewed and added / updated if needed (for bug fixes / features)

Does this introduce a breaking change?

Please see our docs on breaking changes to help!

• Yes
• No

---

[ViacheslavKudinov]

Any known thing why we may regret by adding attestation?

Just loudly thinking if anything we need to consider

[ViacheslavKudinov]

@nickfloyd @stevehipwell I've updated PR to resolve conflicts after workflows were updated.
Now it includes only doc how to do verification of attestations.

Please, feel free to suggest any updates.

[stevehipwell]

Would it be possible to add the cosign equivalents of the gh commands? We also ought to provide the command to verify the SHA256SUMS file signature.

[ViacheslavKudinov]

@stevehipwell i've updated doc.
It is not exactly equivalents as with Cosign is only signed checksum file,
but anyway i tried to cover what we can do with current settings to verify the SHA256SUMS file signature and then with checksum the artifact(s).

Please, let me know if something else was expected or i've missed.

[stevehipwell]

I've added some comments, note that you can also verify the attestations with cosign.

[ViacheslavKudinov]

@ViacheslavKudinov this is looking really good. I've just added a couple of simple suggestions (note the headings one applies to all heading not just the one I highlighted).

@stevehipwell thanks for the suggestions. I had a chance to make the changes.

Could you check how it looks now ?
Anything else would be good to update?

Thank you in advance.

[stevehipwell]

I think the headings still need to be capitalized, I've mad some changes in the spirit of being concise but the real point is to get the capitalization right.

[ViacheslavKudinov]

I think the headings still need to be capitalized, I've mad some changes in the spirit of being concise but the real point is to get the capitalization right.

Oh, sorry i didn't get it correctly.

Is it some "known rule" how capitalization should happen in "heading" ?

I'm not aware that there is something in place, but doesn't mean it is not there.

[stevehipwell]

Thanks for your patience @ViacheslavKudinov.

LGTM

[stevehipwell]

@ViacheslavKudinov could you please rebase this?

[ViacheslavKudinov]

@ViacheslavKudinov could you please rebase this?

@stevehipwell merged "main" into this branch via UI