From 8bb86e37339c9e654637b6ac172af0eafda394d9 Mon Sep 17 00:00:00 2001
From: Benjamin Michaelis <git@relay.benjamin.michaelis.net>
Date: Fri, 22 May 2026 14:50:57 -0700
Subject: [PATCH] feat(ci): add nuget package attestation

Add GitHub artifact attestation permissions and an actions/attest step in the deploy job so release nupkg artifacts include signed provenance metadata.
---
 .github/workflows/deploy.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 2819146..6fbd65f 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -57,6 +57,8 @@ jobs:
       url: 'https://www.nuget.org/packages/IntelliTect.Multitool'
     permissions:
       id-token: write     # Required for OIDC token (NuGet trusted publishing)
+      attestations: write # Required for GitHub artifact attestations
+      artifact-metadata: write # Required to create artifact storage records
       contents: write     # Required for softprops/action-gh-release
     steps:
       - name: Download artifact from build job
@@ -68,6 +70,10 @@ jobs:
         run: |
           $tagVersion = "${{ github.ref }}".substring(11)
           echo "TAG_VERSION=$tagVersion" >> $env:GITHUB_OUTPUT
+      - name: Attest NuGet package provenance
+        uses: actions/attest@v4
+        with:
+          subject-path: IntelliTect.Multitool.${{ steps.tag-version.outputs.TAG_VERSION }}.nupkg
       - name: NuGet login
         uses: NuGet/login@v1
         id: login