Refactor release script, add test run and document new attestation

Author: chrisyarbrough

.github/workflows/release.yml

@@ -12,8 +12,15 @@ permissions:
   attestations: write
 
 jobs:
+  test:
+    uses: ./.github/workflows/test.yml
+
   build:
+    needs: test
     runs-on: ubuntu-latest
+    env:
+      BUILD_PROJECT: src/ucll.build/ucll.build.csproj
+      ARTIFACTS_PATH: src/ucll.build/bin/artifacts/*
 
     steps:
     - name: Checkout repository
@@ -25,40 +32,30 @@ jobs:
         dotnet-version: '10.0.x'
 
     - name: Build ucll.build tool
-      run: dotnet build src/ucll.build/ucll.build.csproj
+      run: dotnet build ${{ env.BUILD_PROJECT }}
 
     - name: Run ucll.build to create release artifacts
       env:
         SKIP_GPG_SIGNING: 'true'
-      run: dotnet run --project src/ucll.build/ucll.build.csproj --no-build
-
-    - name: List artifacts
-      run: ls -lah src/ucll.build/bin/artifacts/
+      run: dotnet run --project ${{ env.BUILD_PROJECT }} --no-build
 
     - name: Upload artifacts
       uses: actions/upload-artifact@v4
       with:
         name: release-artifacts
-        path: src/ucll.build/bin/artifacts/*
+        path: ${{ env.ARTIFACTS_PATH }}
         if-no-files-found: error
 
     - name: Attest build provenance
       uses: actions/attest-build-provenance@v3
       with:
-        subject-path: src/ucll.build/bin/artifacts/*
+        subject-path: ${{ env.ARTIFACTS_PATH }}
 
     - name: Create GitHub Release
       uses: softprops/action-gh-release@v2
       if: startsWith(github.ref, 'refs/tags/')
       with:
-        files: |
-          src/ucll.build/bin/artifacts/ucll-osx-arm64.tar.gz
-          src/ucll.build/bin/artifacts/ucll-osx-x64.tar.gz
-          src/ucll.build/bin/artifacts/ucll-linux-arm64.tar.gz
-          src/ucll.build/bin/artifacts/ucll-linux-x64.tar.gz
-          src/ucll.build/bin/artifacts/ucll-win-arm64.zip
-          src/ucll.build/bin/artifacts/ucll-win-x64.zip
-          src/ucll.build/bin/artifacts/SHA256SUMS
+        files: ${{ env.ARTIFACTS_PATH }}
         generate_release_notes: true
         prerelease: true
         draft: true

.github/workflows/test.yml

@@ -4,6 +4,7 @@ on:
   pull_request:
     branches: [ "main" ]
   workflow_dispatch:
+  workflow_call:
 
 jobs:
   test:

Security.md

@@ -1,8 +1,11 @@
 # Security
 
-Commits and releases are cryptographically signed with my (Chris Yarbrough's) GPG key `F744D8C299C05EAA` to ensure authenticity.
+Commits and releases are cryptographically signed to ensure authenticity.
 
-> If you would like to contribute to this repo, you may optionally also sign your commits, but it's not a requirements, since I will be vetting each pull request anyway.
+- **Commits**: Signed with my (Chris Yarbrough's) GPG key `F744D8C299C05EAA`
+- **Release Artifacts** (v0.3.0+): Signed with GitHub's build provenance attestations using Sigstore
+
+> If you would like to contribute to this repo, you may optionally also sign your commits, but it's not a requirement, since I will be vetting each pull request anyway.
 
 Continue reading to learn how you can verify the repository and release artifacts.
 
@@ -34,7 +37,65 @@ Verify the integrity of this guide by comparing the key ID and fingerprint throu
 	- This guide.
 	- The public source of trust.
 
-## Verify Binaries
+## Verify Binaries (Recommended: v0.3.0+)
+
+Starting with v0.3.0, releases include cryptographic build provenance attestations that prove the artifacts were built by the official GitHub Actions workflow. This verification method is more secure and easier than GPG verification.
+
+### Prerequisites
+
+Install the GitHub CLI:
+```shell
+# macOS
+brew install gh
+
+# Linux (Debian/Ubuntu)
+sudo apt install gh
+
+# Windows
+winget install GitHub.cli
+```
+
+Authenticate with GitHub:
+```shell
+gh auth login
+```
+
+### Verification Steps
+
+1. Download a release artifact:
+   ```shell
+   gh release download v0.3.0 --pattern "ucll-osx-arm64.tar.gz" --repo chrisyarbrough/UnityCommandLineLauncher
+   ```
+
+2. Verify the attestation:
+   ```shell
+   gh attestation verify ucll-osx-arm64.tar.gz --owner chrisyarbrough
+   ```
+
+3. Successful verification confirms:
+   - ✓ The artifact was built by the official GitHub Actions workflow
+   - ✓ The artifact matches the exact commit SHA in the repository
+   - ✓ The build process is cryptographically signed and logged in Sigstore's transparency log
+   - ✓ No tampering occurred after the build
+
+### What the Attestation Proves
+
+The build provenance attestation includes:
+- **Repository**: chrisyarbrough/UnityCommandLineLauncher
+- **Workflow**: .github/workflows/release.yml
+- **Commit SHA**: The exact Git commit that produced this artifact
+- **Build Environment**: GitHub-hosted runner details
+- **Transparency Log**: Public Sigstore Rekor entry (searchable at https://search.sigstore.dev)
+
+This provides stronger security guarantees than traditional GPG signatures because:
+- The signing key is tied to the GitHub repository (not a personal GPG key)
+- The entire build process is attested, not just the final artifact
+- Signatures are logged in a public, tamper-proof transparency log
+- Verification doesn't require trusting or importing external keys
+
+## Verify Binaries (Legacy: GPG Method)
+
+For older releases (pre-v0.3.0) or builds that were created locally:
 
 1. Import my public key:
    ```shell