ci: attest build provenance for CLI binaries

[siketyan]

Summary

Generates a build provenance for CLI binaries in a release, using the actions/attest-build-provenance action. Users now can verify the binaries using gh CLI to ensure they're really built on GitHub Actions. It's similar to npm's provenance feature, but for CLI binaries.

ref: https://docs.github.com/en/actions/how-tos/secure-your-work/use-artifact-attestations/use-artifact-attestations

Test Plan

Fingers crossed on the next release

Docs

N/A

[changeset-bot]

⚠️ No Changeset found

Latest commit: e523e51

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

This change adds build provenance attestation to the release workflows. GitHub Actions permissions are extended with attestations: write and id-token: write access. Attest-build-provenance steps are inserted into multiple build jobs across both release.yml and release_cli.yml, executing after binary copying but before artefact uploads. These steps generate provenance attestations for the biome binaries.

Pre-merge checks and finishing touches

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding build provenance attestation for CLI binaries using GitHub Actions.
Description check	✅ Passed	The description clearly explains the purpose (verifying CLI binaries were built on GitHub Actions), references the attest-build-provenance action, and provides relevant documentation links.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

12-12: Workflow-level attestation permissions added.

Adding attestations: write and id-token: write at the workflow level simplifies configuration, though this grants these permissions to all jobs. Since neither build-wasm nor build-js-api use these permissions, consider whether job-level scoping (as done in release_cli.yml) would be more security-conscious.

Alternatively, this is acceptable if you prefer simplicity over strict least-privilege here.

Also applies to: 14-14

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d71924e and e523e51.

📒 Files selected for processing (2)

• .github/workflows/release.yml (3 hunks)
• .github/workflows/release_cli.yml (4 hunks)

🔇 Additional comments (6)

.github/workflows/release_cli.yml (4)

67-70: Job-level permissions explicitly scoped.

The permissions block correctly restricts access to what's needed for attestation generation. Good practice for security.

---

151-154: Consistent permissions across build jobs.

Matching the permissions from the earlier build job is appropriate for consistency.

---

188-191: Attest step placement is correct.

The step is positioned between binary copying and artifact upload, which is the right place for provenance generation.

---

124-127: Action version is current and compatible with Depot runners.

The actions/attest-build-provenance@v3.0.0 is the latest available version. It works properly with Depot's managed runners, provided the job grants the required permissions (id-token: write and attestations: write) and the runner can request GitHub OIDC tokens—both of which Depot runners support.

.github/workflows/release.yml (2)

181-184: Attest step in standard build job looks good.

Placement and configuration mirror the CLI workflow. The build-binaries job correctly inherits the necessary permissions from the workflow level.

---

239-242: Ensure build artifacts are accessible to the attest action from containerized build steps.

The attest-build-provenance action runs in the job context after containerized build steps complete. Verify that ./dist/biome-* artifacts built inside the Docker container are accessible to the action—container outputs must be mounted or copied to the host job filesystem. OIDC token access is not constrained by containerization since the action operates outside the container.

[ematipico]

This workflow is currently unused, it's here for backup