add build provenance attestation

Author: afragen

.github/workflows/releases.yml

@@ -9,6 +9,10 @@ jobs:
   build:
     name: Upload Release Asset
     runs-on: ubuntu-latest
+    permissions:
+      attestations: write
+      id-token: write
+      contents: write
     steps:
       - name: Checkout code
         uses: actions/checkout@master
@@ -27,3 +31,8 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           files: /tmp/${{ github.event.repository.name }}-${{ steps.tag.outputs.tag }}.zip
+
+      - name: Build provenance attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: /tmp/${{ github.event.repository.name }}-${{ steps.tag.outputs.tag }}.zip