[feature] Support for GitHub Attestation Store

[ianlewis]

We should consider adding support for storing results in GitHub's attestation store.

I think, we would need to create a predicate that matches what the attestation store expects, so it would be slightly different than the ones we create today. This might be ok, since we aren't supporting SLSA v1.0 much in our workflows yet, so we could do it at the same time.

Related #3668

[OpenWaygate]

Great! Looking forward to native implementation, now I have to download each artifact and attest it with workaround

  attestation:
    needs: [build]
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
      attestations: write
    strategy:
      matrix:
        artifact:
          - linux-amd64
          - linux-arm64
          - darwin-amd64
          - darwin-arm64
          - windows-amd64.exe
          - windows-arm64.exe
    steps:
      - name: Download artifact
        uses: actions/download-artifact@v4
        with:
          name: yutu-${{ matrix.artifact }}
      - name: Attest
        uses: actions/attest-build-provenance@v1
        with:
          subject-path: '${{ github.workspace }}/yutu-${{ matrix.artifact }}'

[ianlewis]

@OpenWaygate So I guess you generating two attestations? one created by slsa-github-generator and one by the attest-build-provenance action?

[OpenWaygate]

yes, while the one created by slsa-github-generator will appear in release assets, the one created by attest-build-provenance will appear in https://github.com/username/projectname/attestations