in #1012 we shipped github artifact attestations for artifacts. however, as @Gankra rightly pointed out, the installers are very powerful and could easily do any number of things, including replacing the gh cli, and so if we want to Do Real Security and not hand wave, we should also attest and then verify the installer artifacts as well. (this may, if possible, move the attestation step to the announce step, where the list of all the artifacts is right there)
in #1012 we shipped github artifact attestations for artifacts. however, as @Gankra rightly pointed out, the installers are very powerful and could easily do any number of things, including replacing the gh cli, and so if we want to Do Real Security and not hand wave, we should also attest and then verify the installer artifacts as well. (this may, if possible, move the attestation step to the announce step, where the list of all the artifacts is right there)