ci(deploy): provenance (#387)

Use actions/attest-build-provenance to generate Sigstore-backed
attestations for each released executable, so consumers can verify
that the binaries on GitHub Releases were built by this workflow
rather than uploaded manually.

---------

Co-authored-by: Claude <noreply@anthropic.com>

Author: KSXGitHub

.github/workflows/deploy.yaml

@@ -64,6 +64,11 @@ jobs:
 
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+      id-token: write # needed for actions/attest-build-provenance
+      attestations: write
+
     strategy:
       fail-fast: true
       matrix:
@@ -90,6 +95,11 @@ jobs:
       - name: Strip all debug symbols
         run: strip --strip-all target/${{ matrix.target }}/release/pdu
 
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: target/${{ matrix.target }}/release/pdu
+
       - name: Upload build artifact
         uses: actions/upload-artifact@v7
         with:
@@ -101,6 +111,11 @@ jobs:
 
     runs-on: macos-latest
 
+    permissions:
+      contents: read
+      id-token: write # needed for actions/attest-build-provenance
+      attestations: write
+
     strategy:
       fail-fast: true
       matrix:
@@ -126,6 +141,11 @@ jobs:
       - name: Strip all debug symbols
         run: strip target/${{ matrix.target }}/release/pdu
 
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: target/${{ matrix.target }}/release/pdu
+
       - name: Upload build artifact
         uses: actions/upload-artifact@v7
         with:
@@ -137,6 +157,11 @@ jobs:
 
     runs-on: windows-latest
 
+    permissions:
+      contents: read
+      id-token: write # needed for actions/attest-build-provenance
+      attestations: write
+
     strategy:
       fail-fast: true
       matrix:
@@ -161,6 +186,11 @@ jobs:
       - name: Build
         run: cargo build --target ${{ matrix.target }} --release --all-features
 
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: target/${{ matrix.target }}/release/pdu.exe
+
       - name: Upload build artifact
         uses: actions/upload-artifact@v7
         with:
@@ -218,9 +248,25 @@ jobs:
 
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+      id-token: write # needed for actions/attest-build-provenance
+      attestations: write
+
     steps:
       - uses: actions/checkout@v6
 
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: |
+            ./exports/completion.bash
+            ./exports/completion.fish
+            ./exports/completion.zsh
+            ./exports/completion.ps1
+            ./exports/completion.elv
+            ./exports/pdu.1
+
       - name: Upload Tab-Completion file for Bash
         uses: actions/upload-release-asset@v1.0.2
         env:
@@ -349,6 +395,11 @@ jobs:
 
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+      id-token: write # needed for actions/attest-build-provenance
+      attestations: write
+
     steps:
       - uses: actions/checkout@v6
 
@@ -363,6 +414,14 @@ jobs:
       - name: Create checksums
         run: ./ci/github-actions/create-checksums.sh
 
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: |
+            ./sha1sum.txt
+            ./sha256sum.txt
+            ./sha512sum.txt
+
       - name: Upload as artifacts
         uses: actions/upload-artifact@v7
         with:

README.md

@@ -146,6 +146,9 @@ Beware that the structure of the JSON tree differs depending on the number of fi
 
 Go to the [GitHub Release Page](https://github.com/KSXGitHub/parallel-disk-usage/releases) and download a binary.
 
+> [!NOTE]
+> Starting with version 0.22.1, every executable published to GitHub Releases ships with a build provenance attestation, so you can cryptographically verify that the binary was produced by this repository's deployment workflow rather than uploaded by hand. See [_How can I trust the release binaries?_](#how-can-i-trust-the-release-binaries) for the verification command.
+
 #### From [crates.io](https://crates.io)
 
 **Prerequisites:**
@@ -183,6 +186,21 @@ No. "Vibe coding" means letting AI do everything without human involvement. This
 
 Using AI also does not mean poor quality. On the contrary, AI reviews have helped detect previously undetected bugs.
 
+### How can I trust the release binaries?
+
+Starting with version 0.22.1, every executable published to [GitHub Releases](https://github.com/KSXGitHub/parallel-disk-usage/releases) is accompanied by a [build provenance attestation](https://docs.github.com/en/actions/how-tos/secure-your-work/use-artifact-attestations/use-artifact-attestations). The attestation is cryptographically signed by [Sigstore](https://www.sigstore.dev/) — a public-good signing service operated by the Linux Foundation — and records that the binary was built by this repository's GitHub Actions deployment workflow from a specific commit. Because the signing happens inside GitHub's infrastructure via OIDC and the signatures are logged to Sigstore's public transparency log, the guarantee does not depend on trusting the maintainer's personal word: any tampered or manually uploaded binary would fail verification.
+
+To verify a downloaded binary, install the [GitHub CLI](https://cli.github.com/) and run:
+
+```sh
+gh attestation verify downloaded-pdu --repo KSXGitHub/parallel-disk-usage
+# note: replace `downloaded-pdu` with the filename you downloaded.
+```
+
+A successful run prints the signer workflow and confirms that the file's SHA-256 matches the attested digest. All attestations for this repository can also be browsed at the [Attestations page](https://github.com/KSXGitHub/parallel-disk-usage/attestations).
+
+Binaries from releases older than 0.22.1 are not attested.
+
 ## Similar programs
 
 * **CLI:**