From 8526c4ad4378746b1b110c83169d53212373303b Mon Sep 17 00:00:00 2001
From: Pete Wagner <1559510+thepwagner@users.noreply.github.com>
Date: Thu, 16 May 2024 07:42:56 -0400
Subject: [PATCH 1/2] release: attest tarball provenance

---
 .github/workflows/release.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2f4e79e..eb9b3fb 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,6 +7,7 @@ on:
 permissions:
   contents: write
   packages: write
+  id-token: write
 
 jobs:
   release:
@@ -29,10 +30,14 @@ jobs:
           mkdir -p tmp
           sed '/^# '$version'/,/^# /!d;//d;/^\s*$/d' CHANGELOG.md > tmp/release_changelog.md
       - name: Release
-        uses: goreleaser/goreleaser-action@5df302e5e9e4c66310a6b6493a8865b12c555af2
+        uses: goreleaser/goreleaser-action@5df302e5e9e4c66310a6b6493a8865b12c555af2 # v2.8.0
         with:
           distribution: goreleaser
-          version: v1.22.1
+          version: v1.25.1
           args: release --clean --release-notes=tmp/release_changelog.md
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: "Sign .tar.gz"
+        uses: actions/attest-build-provenance@951c0c5f8e375ad4efad33405ab77f7ded2358e4 # v1.1.1
+        with:
+          subject-path: "dist/*.tar.gz"

From b0119f5fcee78d21be5f0ab4be53f4d2fc1169fb Mon Sep 17 00:00:00 2001
From: Pete Wagner <1559510+thepwagner@users.noreply.github.com>
Date: Thu, 16 May 2024 07:45:33 -0400
Subject: [PATCH 2/2] forgot permission

---
 .github/workflows/release.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index eb9b3fb..991318a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,6 +8,7 @@ permissions:
   contents: write
   packages: write
   id-token: write
+  attestations: write
 
 jobs:
   release: