Add build attestation to CI pipeline

Copilot · eNeRGy164 · Copilot · commit 8909387a888c · 2025-07-01T07:55:23.000Z
Co-authored-by: eNeRGy164 &lt;10671831+eNeRGy164@users.noreply.github.com&gt;
diff --git a/.github/workflows/continuous.yml b/.github/workflows/continuous.yml
@@ -14,6 +14,10 @@ jobs:
   ubuntu-latest:
     name: ubuntu-latest
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@v4
         with:
@@ -32,6 +36,10 @@ jobs:
           NuGetApiKey: ${{ secrets.NUGET_API_KEY }}
       - name: Report Coveralls
         uses: coverallsapp/github-action@v2
+      - name: 'Attest: Build Provenance'
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: 'Artifacts/*.nupkg,Artifacts/*.snupkg'
       - name: 'Publish: Artifacts'
         uses: actions/upload-artifact@v4
         with:
diff --git a/README.md b/README.md
@@ -23,6 +23,16 @@ To use **DendroDocs.Shared** in your project, install it as a NuGet package:
 dotnet add package DendroDocs.Shared
 ```
 
+## Security & Build Attestation
+
+This library includes build attestation through GitHub's attest-build-provenance action, providing cryptographic proof of the build process and artifact integrity. Each published package includes verifiable provenance information that demonstrates:
+
+* The exact repository and commit that built the artifacts
+* The GitHub Actions workflow that produced the packages
+* Cryptographic signatures ensuring artifact authenticity
+
+This ensures that the packages you install have not been tampered with and came from the official DendroDocs build pipeline.
+
 ## Example usage
 
 ```csharp
