Add GitHub Actions build provenance attestations

.github/workflows/publish.yml

@@ -74,7 +74,7 @@ jobs:
       - name: Upload install helper artifact
         uses: actions/upload-artifact@v4
         with:
-          name: install-helpers
+          name: web-ext-install-helpers
           path: ./scripts/install/dist/*
 
   release:
@@ -120,3 +120,59 @@ jobs:
             --clobber
         env:
           GH_TOKEN: ${{ github.token }}
+
+  attest:
+    name: Attest build provenance
+    runs-on: ubuntu-latest
+    needs:
+      - release
+
+    permissions:
+      contents: write
+      id-token: write
+      attestations: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Download artifacts to attest
+        uses: actions/download-artifact@v4
+        with:
+          pattern: web-ext-*
+          path: ./web-ext-artifacts
+          merge-multiple: true
+
+      - name: Generate artifact attestation
+        id: provenance
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: ./web-ext-artifacts
+
+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          path: ./web-ext-artifacts
+          upload-artifact: false
+          output-file: ./sbom.spdx.json
+
+      - name: Generate SBOM attestation
+        id: sbom
+        uses: actions/attest-sbom@v1
+        with:
+          subject-path: ./web-ext-artifacts
+          sbom-path: ./sbom.spdx.json
+
+      - name: Merge attestations
+        run: |
+          cat "${{ steps.provenance.outputs.bundle-path }}" >> ./attestation.jsonl
+          cat "${{ steps.sbom.outputs.bundle-path }}" >> ./attestation.jsonl
+
+      - name: Attach attestation to release
+        run: |
+          gh release upload \
+            "${{ github.ref_name }}" \
+            ./attestation.jsonl \
+            --clobber
+        env:
+          GH_TOKEN: ${{ github.token }}