[FEAT] Migrate SLSA to slsa-github-generator

[Joseph94m]

Is your feature request related to a problem? Please describe.

The release workflow currently uses slsa-framework/slsa-github-generator for SLSA provenance. This works, but has several limitations:

• No GitHub UI visibility: the generated .intoto.jsonl file is attached to the release as a loose asset. It does not appear in the repository's "Attestations" tab in the GitHub web UI.
• No native verification: users cannot run gh attestation verify against the released binaries. They have to manually use slsa-verifier instead.
• Extra complexity: the current setup requires a dedicated hash job to compute and base64-encode artifact digests, plus a reusable workflow call. This adds two extra jobs and a fragile data-passing chain (hash.outputs.hashes -> reusable workflow base64-subjects).
• Signing is opaque to GitHub: signing happens via Sigstore Fulcio using the GitHub Actions OIDC identity, but GitHub itself has no record of the attestation.

GitHub now offers a first-party alternative: actions/attest-build-provenance. It was made generally available in mid-2024 and is the recommended path for GitHub-hosted projects.

Describe the solution you'd like

Replace the slsa-github-generator reusable workflow and the hash job with actions/attest-build-provenance calls in the binaries or upload-release job.

The new approach:

• Calls actions/attest-build-provenance once per binary artifact (or once with a glob for all of them).
• Stores attestations in GitHub's native attestation store.
• Makes attestations visible in the GitHub web UI under the repo's Attestations tab.
• Enables gh attestation verify plumber-linux-amd64 --repo getplumber/plumber for end users.
• Removes the need for the hash job entirely.

Example usage in the workflow

- name: Attest build provenance
  uses: actions/attest-build-provenance@<pinned-sha>
  with:
    subject-path: dist/plumber-*

Configuration in .plumber.yaml

No changes needed. This is a CI infrastructure change, not a control or config change.

Implementation Hints

1. Remove the hash job (hash at line 369-389 in release.yml). It only exists to feed slsa-github-generator.
2. Remove the provenance job (provenance at line 391-403). Replace it with an actions/attest-build-provenance step inside the upload-release job, after downloading artifacts and before creating the release.
3. Update upload-release dependencies: remove provenance from needs, since provenance generation will happen inline.
4. Remove the .intoto.jsonl upload from the release assets (line 134), or keep it as a convenience download alongside the native attestation.
5. Update permissions: the upload-release job will need id-token: write and attestations: write added to its permissions block.

Files Touched

• .github/workflows/release.yml (remove hash and provenance jobs, add attest-build-provenance step to upload-release, update permissions and needs)

Why It's Valuable

• Simpler pipeline: removes two jobs and their output-passing wiring.
• GitHub-native UX: attestations show up in the web UI and are verifiable with gh attestation verify, which is what users expect on GitHub.
• Maintained by GitHub: actions/attest-build-provenance is a first-party action, reducing supply-chain risk from depending on an external reusable workflow.
• Better discoverability: consumers of the binary can find and verify provenance without needing to know about .intoto.jsonl files or slsa-verifier.

Community feedback already flagged this as an improvement (see discussion around preferring actions/attest-build-provenance over slsa-github-generator).

Note: If you submit a PR for this feature, please keep "Allow edits from maintainers" enabled so we can collaborate more easily.

[Joseph94m]

Closed in https://github.com/getplumber/plumber/releases/tag/v0.1.72