Add attestations

Author: briandfoy

perl-module-release.yml

@@ -20,6 +20,8 @@ env:
 
 permissions:
     contents: write
+    id-token: write
+    attestations: write
 
 on:
     push:
@@ -94,12 +96,24 @@ jobs:
                 perl -00 -lne 'next unless /\A\d+\.\d+(_\d+)?/; print; last' Changes > Changes-latest
                 cat Changes-latest
               id: extract
+# https://cli.github.com/manual/gh_attestation_verify
+# DISTRO_FILE is the .tar.gz in the release
+# GITHUB_ACCOUNT is the github name of the releaser
+#  gh auth login
+#  gh attestation verify DISTRO_FILE --owner GITHUB_ACCOUNT
+            - name: Generate artifact attestation
+              id: attestation
+              uses: actions/attest-build-provenance@v1
+              with:
+                subject-path: ${{ env.ASSET_NAME }}
             - name: upload
               uses: softprops/action-gh-release@v1
               with:
                 body_path: Changes-latest
                 draft: false
                 prerelease: false
                 name: ${{ steps.version.outputs.name }}
-                files: "*.tar.gz"
+                files: |
+                    ${{ env.ASSET_NAME }}
+                    ${{ steps.attestation.outputs.bundle-path }}
                 token: ${{ secrets.RELEASE_ACTION_TOKEN }}