From 14ec4c5ac940c9cfe4c34a4a3a5e0e1d8ffad32f Mon Sep 17 00:00:00 2001
From: GrantBirki <grant.birkinbine@gmail.com>
Date: Wed, 16 Apr 2025 12:38:01 -0700
Subject: [PATCH 1/3] add a note about "Verifying Release Binaries"

---
 README.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/README.md b/README.md
index 635b2e6..475d90a 100644
--- a/README.md
+++ b/README.md
@@ -212,6 +212,15 @@ gh combine owner/repo --no-color
 LOG_LEVEL=DEBUG gh combine owner/repo
 ```
 
+## Verifying Release Binaries
+
+This project uses [goreleaser](https://goreleaser.com/) to build binaries and [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) to publish the provenance of the release.
+
+You can verify the release binaries by following these steps:
+
+1. Download a release from the [releases page](https://github.com/github/gh-combine/releases).
+2. Verify it `gh attestation verify --owner github ~/Downloads/darwin-arm64` (an example for darwin-arm64).
+
 ---
 
 Run `gh combine --help` for more information and full command/options usage.

From 76543428e3a2c970248fcea58304374d57ea0354 Mon Sep 17 00:00:00 2001
From: GrantBirki <grant.birkinbine@gmail.com>
Date: Wed, 16 Apr 2025 17:04:06 -0700
Subject: [PATCH 2/3] attempting for SLSA L3

---
 .github/workflows/release.yml | 31 +++++++++++++++++++++++++------
 1 file changed, 25 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0f04944..b97c28d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,13 +5,12 @@ on:
     tags:
       - "*"
 
-permissions:
-  contents: write
-  id-token: write
-  attestations: write
+permissions: {}
 
 jobs:
   release:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
 
     steps:
@@ -34,6 +33,26 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # pin@v2
+      - name: upload artifact
+        uses: actions/upload-artifact@4.6.2
         with:
-          subject-path: "dist/"
+          name: gh-combine
+          path: dist/
+
+  sign:
+    needs: release
+    permissions:
+      id-token: write
+      attestations: write
+      contents: read
+    uses: github/salsa/.github/workflows/sign-artifact.yml@main
+    with:
+      name: gh-combine
+      artifact-path: "dist/"
+
+  verify:
+    needs: sign
+    uses: github/salsa/.github/workflows/verify.yml@main
+    with:
+      name: gh-combine
+      artifact-path: dist/

From 12dc77cb99c07c0cfa0d6b7b6baa6b80564271f6 Mon Sep 17 00:00:00 2001
From: GrantBirki <grant.birkinbine@gmail.com>
Date: Wed, 16 Apr 2025 17:13:26 -0700
Subject: [PATCH 3/3] remove extra quotes

---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b97c28d..b5bc8a1 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -48,7 +48,7 @@ jobs:
     uses: github/salsa/.github/workflows/sign-artifact.yml@main
     with:
       name: gh-combine
-      artifact-path: "dist/"
+      artifact-path: dist/
 
   verify:
     needs: sign