Generate build provenance attestations

[shenxianpeng]

It looks like GitHub rolled out their own attestations in beta. I wonder if we could integrate with that. for more details below:

• https://github.com/actions/attest-build-provenance
• https://github.com/cpp-linter/cpp-linter-action/attestations
• https://github.com/orgs/community/discussions/122028
• https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
• https://github.blog/2024-04-30-where-does-your-software-really-come-from/

[2bndy5]

That last link was most helpful to me. I've never been too concerned about verifying "artifacts" that I download over the Internet.

Now that I have a better understanding of provenance attestation, my first thought was the static binaries we are distributing via clang-tools-pip use. This is where I'd start integrating proper attestation. Then we can use such attestation downstream in cpp-linter-action (or in clang-tools-pip itself)...

Pypi does not support any form of digital signing (that in aware of). Just last year, they dropped their support for PGP signatures.

[shenxianpeng]

To summarize your thoughts, we can at least start with this

• [ ] https://github.com/cpp-linter/clang-tools-static-binaries/issues/24
• [ ] https://github.com/cpp-linter/clang-tools-pip/issues/96
• [x] https://github.com/cpp-linter/.github/pull/29

maybe we do not need to verify attestation in cpp-linter-action because static binaries have verified in clang-tools-pip。

Digital signing seems to become a roadmap of Pypi https://github.com/pypi/warehouse/issues/15871