Attest artifacts

[martincostello]

Attest the SBOM and lib files in the NuGet packages.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 96.23%. Comparing base (8c4f053) to head (8a8b28f).
Report is 1 commits behind head on main.

✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2647   +/-   ##
=======================================
  Coverage   96.23%   96.23%           
=======================================
  Files         311      311           
  Lines        7329     7329           
  Branches     1013     1013           
=======================================
  Hits         7053     7053           
  Misses        222      222           
  Partials       54       54           

Flag	Coverage Δ
linux	96.23% <ø> (ø)
macos	96.23% <ø> (ø)
windows	96.22% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[Copilot]

Pull Request Overview

This PR adds steps to attest the SBOM and library files in the NuGet packages by downloading the SBOM, extracting package contents, and running an attestation action.

• Added permissions to allow attestation.
• Implemented SBOM download and package extraction in the Windows job.
• Configured actions/attest-build-provenance to attest both SBOM and lib files.

Comments suppressed due to low confidence (3)

.github/workflows/build.yml:371

• [nitpick] The variable name $packages is ambiguous; consider renaming it to something more descriptive like $nupkgFiles to clarify that it contains file paths.

$packages = Get-ChildItem -Filter "*.nupkg" | ForEach-Object { $_.FullName }

.github/workflows/build.yml:372

• Consider explicitly creating the root artifacts directory (e.g., New-Item -ItemType Directory -Path $artifactsPath) before extracting packages, to avoid errors if the SBOM download step fails.

$artifactsPath = Join-Path ${env:GITHUB_WORKSPACE} "artifacts"

.github/workflows/build.yml:390

• The glob pattern ./artifacts/*/lib/**/* may match directories as well as files; consider specifying file extensions (e.g., ./artifacts/*/lib/**/*.dll) or adjusting the pattern to only include the intended artifact files.

./artifacts/*/lib/**/*

[martincostello]

Verified using the Polly 8.6.1 release by:

1. Downloading the .nupkg file from NuGet
2. Changing the file extension to .zip and extracting the contents
3. Running gh attestation verify --owner App-vNext ./lib/net6.0/Polly.dll:

❯ gh attestation verify --owner App-vNext .\Polly.dll
Loaded digest sha256:d350546675b69e5985c70f98f6d200f768701f633d6041b1df1d23a07ef80240 for file://Polly.dll
Loaded 1 attestation from GitHub API

The following policy criteria will be enforced:
- Predicate type must match:................ https://slsa.dev/provenance/v1
- Source Repository Owner URI must match:... https://github.com/App-vNext
- Subject Alternative Name must match regex: (?i)^https://github.com/App-vNext/
- OIDC Issuer must match:................... https://token.actions.githubusercontent.com

✓ Verification succeeded!

The following 1 attestation matched the policy criteria

- Attestation #1
  - Build repo:..... App-vNext/Polly
  - Build workflow:. .github/workflows/build.yml@refs/tags/8.6.1
  - Signer repo:.... App-vNext/Polly
  - Signer workflow: .github/workflows/build.yml@refs/tags/8.6.1