generate provenance attestation

Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>

.github/workflows/ci.yml

@@ -20,6 +20,8 @@ on:
 
 permissions:
   contents: read # to fetch code (actions/checkout)
+  id-token: write
+  attestations: write
 
 jobs:
   prepare:
@@ -250,9 +252,6 @@ jobs:
           files: ./coverage.txt
 
   release:
-    permissions:
-      contents: write # to create a release (ncipollo/release-action)
-
     runs-on: ubuntu-latest
     needs:
       - binary
@@ -285,6 +284,11 @@ jobs:
         name: Check artifacts
         run: |
           find bin/release -type f -exec file -e ascii -- {} +
+      -
+        name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: ./bin/release/*
       -
         name: GitHub Release
         if: startsWith(github.ref, 'refs/tags/v')