Problem
There is no verifiable provenance linking the published zips and .nupkg to the source commit and workflow that built them. A SHA in the Homebrew/winget manifests proves the download matches what was published, but not that the published artifact came from this pipeline.
Fix
- Add
actions/attest-build-provenance to release.yml to generate SLSA build provenance for the release artifacts (and the NuGet package).
- Document verification with
gh attestation verify.
Priority: Medium
Problem
There is no verifiable provenance linking the published zips and
.nupkgto the source commit and workflow that built them. A SHA in the Homebrew/winget manifests proves the download matches what was published, but not that the published artifact came from this pipeline.Fix
actions/attest-build-provenancetorelease.ymlto generate SLSA build provenance for the release artifacts (and the NuGet package).gh attestation verify.Priority: Medium