Merge pull request #9135 from ThomasWaldmann/issue-9134-attestations

CI: add GitHub artifact attestations for release binaries, fixes #9134 (master)

.github/workflows/ci.yml

@@ -62,6 +62,10 @@ jobs:
   posix_tests:
 
     needs: [lint, security]
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
     strategy:
       fail-fast: true
       # noinspection YAMLSchemaValidation
@@ -268,6 +272,12 @@ jobs:
         echo "binary files"
         ls -l artifacts/
 
+    - name: Attest binaries provenance (${{ matrix.binary }})
+      if: ${{ matrix.binary && steps.detect_tag.outputs.tagged }}
+      uses: actions/attest-build-provenance@v3
+      with:
+        subject-path: 'artifacts/*'
+
     - name: Upload binaries (${{ matrix.binary }})
       if: ${{ matrix.binary && steps.detect_tag.outputs.tagged }}
       uses: actions/upload-artifact@v4

docs/binaries/00_README.txt

@@ -68,6 +68,24 @@ GPG key fingerprint: 6D5B EF9A DD20 7580 5747 B70F 9F88 FB52 FAF7 B393
 My fingerprint is also in the footer of all my BorgBackup mailing list posts.
 
 
+Provenance attestations for GitHub-built binaries
+-------------------------------------------------
+
+For binaries built on GitHub (files with a "-gh" suffix in the name), we publish
+an artifact provenance attestation that proves the binary was built by our
+GitHub Actions workflow from a specific commit or tag. You can verify this using
+the GitHub CLI (gh). Install it from https://cli.github.com/ and make sure you
+use a recent version that supports "gh attestation".
+
+Practical example (Linux, 2.0.0b20 tag):
+
+    curl -LO https://github.com/borgbackup/borg/releases/download/2.0.0b20/borg-linux-glibc235-x86_64-gh
+    gh attestation verify --repo borgbackup/borg --ref 2.0.0b20 ./borg-linux-glibc235-x86_64-gh
+
+If verification succeeds, gh prints a summary stating the subject (your file),
+that it was attested by GitHub Actions, and the job/workflow reference.
+
+
 Installing
 ----------