ci(release): attest build provenance for release artifacts

[zkochan]

Summary

Generate Sigstore-backed SLSA build provenance for the per-platform binary archives produced by pn copy-artifacts, using actions/attest-build-provenance. Users can then verify with gh attestation verify that the binaries attached to a GitHub Release were actually produced by this repo's release workflow rather than uploaded manually.

gh attestation verify pnpm-linux-x64.tar.gz \
    --repo pnpm/pnpm \
    --predicate-type https://slsa.dev/provenance/v1

Why this is not redundant with the existing release attestation

GitHub already auto-generates a release attestation (predicate type https://in-toto.io/attestation/release/v0.2) for every release in this repo, e.g. for v11.0.4. That attestation only proves which file digests were attached to a tag in this repo. It does not prove how those files were built — anyone with release-write permission (a leaked PAT, a malicious workflow) can attach arbitrary binaries to a release, and GitHub will dutifully sign a release attestation for them.

The new build-provenance attestation uses predicate type https://slsa.dev/provenance/v1 and binds each artifact's digest to:

• the exact workflow file (.github/workflows/release.yml) and commit SHA that built it,
• the GitHub-hosted runner identity,
• the workflow run ID.

The two attestations are complementary, not duplicates: release proves "where the file was hosted," build provenance proves "how the file was built."

The pn release step already publishes the npm tarballs with --provenance, so this closes the same gap on the GitHub Release side.

Implementation notes

• attestations: write permission added to the release job alongside the existing id-token: write (already present for npm OIDC).
• The attest step runs after Copy Artifacts (so dist/* exists) and before Release (so the digests being signed match what gets uploaded).
• The action is pinned to its v4.1.0 SHA to match the convention used by the other actions in this workflow.

Test plan

• Cut a pre-release tag from a branch off this PR and verify gh attestation verify <artifact> --repo pnpm/pnpm --predicate-type https://slsa.dev/provenance/v1 succeeds for each pnpm-* archive and source-maps.tgz.
• Confirm both predicate types (slsa.dev/provenance/v1 and in-toto.io/attestation/release/v0.2) are visible in the release's attestations API.

Summary by CodeRabbit

• Chores
  • Enhanced release process with build provenance attestation to improve build integrity verification and transparency.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: a853e4d7-ea5b-4bdc-992a-183f1db98ac5

📥 Commits

Reviewing files that changed from the base of the PR and between 7b9c459 and a74ea99.

📒 Files selected for processing (1)

• .github/workflows/release.yml

---

📝 Walkthrough

Walkthrough

The release workflow is extended to support build provenance attestation. A new permission attestations: write is added to the release job, and a new step using actions/attest-build-provenance is introduced to attest the built artifacts in the dist/ directory.

Changes

Build Provenance Attestation

Layer / File(s)	Summary
Job Permissions .github/workflows/release.yml	The release job gains attestations: write permission to enable build provenance attestation.
Attestation Step .github/workflows/release.yml	A new "Attest build provenance" step using actions/attest-build-provenance is added to attest all files in dist/*.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Build provenance now assured and blessed,
Our artifacts wear their attestation vest,
A rabbit's hop through cryptographic cheer,
Trust sealed with each release held dear! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately describes the main change: adding build provenance attestation for release artifacts in the CI workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/attest-build-provenance

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR enhances the release workflow by generating Sigstore-backed SLSA v1.0 build provenance attestations for the per-platform binary archives produced during pn copy-artifacts, enabling downstream users to verify that GitHub Release assets were built by this repository’s release workflow.

Changes:

• Add attestations: write permission to the release job to allow publishing provenance attestations.
• Add an actions/attest-build-provenance step to attest all files produced under dist/* before uploading them to the GitHub Release.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.