Add build attestations for releases (#5967)

.github/workflows/desktop-build.yml

@@ -181,6 +181,7 @@ jobs:
           key: ${{ steps.ccache_restore.outputs.cache-primary-key }}
 
       - name: Upload artifact
+        id: upload_artifact
         if: matrix.package != 'skip'
         uses: actions/upload-artifact@v4
         with:
@@ -189,6 +190,7 @@ jobs:
           if-no-files-found: error
 
       - name: Upload to release
+        id: upload_release
         if: matrix.package != 'skip' && needs.configure.outputs.tag != null
         shell: bash
         env:
@@ -198,6 +200,20 @@ jobs:
           asset_name: ${{steps.build.outputs.name}}
         run: gh release upload "$tag_name" "$asset_path#$asset_name"
 
+      - name: Attest binary provenance
+        id: attestation
+        if: steps.upload_release.outcome == 'success'
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: ${{steps.build.outputs.path}}
+          subject-name: ${{steps.build.outputs.name}}
+          subject-digest: sha256:${{ steps.upload_artifact.outputs.artifact-digest }}
+
+      - name: Verify binary attestation
+        if: steps.attestation.outcome == 'success'
+        shell: bash
+        run: gh attestation verify ${{steps.build.outputs.path}} -R Cockatrice/Cockatrice
+
   build-macos:
     strategy:
       fail-fast: false
@@ -342,6 +358,7 @@ jobs:
           fi
 
       - name: Upload artifact
+        id: upload_artifact
         if: matrix.make_package
         uses: actions/upload-artifact@v4
         with:
@@ -350,6 +367,7 @@ jobs:
           if-no-files-found: error
 
       - name: Upload to release
+        id: upload_release
         if: matrix.make_package && needs.configure.outputs.tag != null
         shell: bash
         env:
@@ -359,6 +377,20 @@ jobs:
           asset_name: ${{steps.build.outputs.name}}
         run: gh release upload "$tag_name" "$asset_path#$asset_name"
 
+      - name: Attest binary provenance
+        id: attestation
+        if: steps.upload_release.outcome == 'success'
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: ${{steps.build.outputs.path}}
+          subject-name: ${{steps.build.outputs.name}}
+          subject-digest: sha256:${{ steps.upload_artifact.outputs.artifact-digest }}
+
+      - name: Verify binary attestation
+        if: steps.attestation.outcome == 'success'
+        shell: bash
+        run: gh attestation verify ${{steps.build.outputs.path}} -R Cockatrice/Cockatrice
+
   build-windows:
     strategy:
       fail-fast: false
@@ -422,6 +454,7 @@ jobs:
         run: .ci/compile.sh --server --release --test --package
 
       - name: Upload artifact
+        id: upload_artifact
         uses: actions/upload-artifact@v4
         with:
           name: Windows${{matrix.target}}-installer
@@ -438,6 +471,7 @@ jobs:
           if-no-files-found: error
 
       - name: Upload to release
+        id: upload_release
         if: needs.configure.outputs.tag != null
         shell: bash
         env:
@@ -446,3 +480,17 @@ jobs:
           asset_path: ${{steps.build.outputs.path}}
           asset_name: ${{steps.build.outputs.name}}
         run: gh release upload "$tag_name" "$asset_path#$asset_name"
+
+      - name: Attest binary provenance
+        id: attestation
+        if: steps.upload_release.outcome == 'success'
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: ${{steps.build.outputs.path}}
+          subject-name: ${{steps.build.outputs.name}}
+          subject-digest: sha256:${{ steps.upload_artifact.outputs.artifact-digest }}
+
+      - name: Verify binary attestation
+        if: steps.attestation.outcome == 'success'
+        shell: bash
+        run: gh attestation verify ${{steps.build.outputs.path}} -R Cockatrice/Cockatrice