fix: migrate from slsa-github-generator to actions/attest-build-provenance

[CybotTM]

Summary

Migrates the release workflow from slsa-framework/slsa-github-generator to an org-wide reusable workflow at netresearch/.github using actions/attest-build-provenance.

Why

slsa-github-generator's internal actions use tag refs (@v2.1.0) which conflict with our SHA-pinning ruleset added in #536. This is a known unfixable limitation.

Architecture

netresearch/.github (PR #2)
└── .github/workflows/build-go-attest.yml    ← reusable workflow (SLSA L3 isolation)
    ├── actions/checkout
    ├── actions/setup-go
    ├── go build (cross-compile)
    ├── actions/attest-build-provenance      ← provenance attestation
    └── gh release upload                    ← upload binary

netresearch/ofelia (this PR)
└── .github/workflows/release-slsa.yml       ← caller workflow
    ├── build (8x matrix) → calls netresearch/.github reusable workflow
    ├── sbom (unchanged)
    ├── checksums + cosign (unchanged)
    ├── docker (unchanged)
    └── notifications (unchanged)

True SLSA Build Level 3: The build workflow lives in netresearch/.github — ofelia contributors cannot modify the build process even with write access to ofelia.

What changed

	Before	After
Build workflow	slsa-framework/slsa-github-generator (reusable, tag-pinned)	netresearch/.github reusable workflow (SHA-pinnable)
Attestation	SLSA provenance as .intoto.jsonl release asset	GitHub attestation store via actions/attest-build-provenance
Verification	slsa-verifier verify-artifact	gh attestation verify
SLSA Level	3 (external builder)	3 (org-wide reusable workflow with branch protection)

Dependencies

• netresearch/.github#2 must merge first

Test plan

• Merge .github PR first
• CI passes on this PR
• Delete v0.23.0 release, re-create to test end-to-end

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refactors the project's release workflow to enhance supply chain security and build process control. It addresses a known limitation with slsa-github-generator regarding SHA-pinning by transitioning to actions/attest-build-provenance. This migration shifts the build process to a self-hosted Go matrix, enabling direct control over compilation, and leverages GitHub's attestation store for provenance, ensuring full SHA-pinnability and a more robust verification mechanism.

Highlights

• Build Workflow Migration: The release workflow has been migrated from slsa-framework/slsa-github-generator to actions/attest-build-provenance@v4.1.0.
• SHA-Pinning Resolution: This change resolves conflicts with SHA-pinning rulesets by adopting a fully SHA-pinnable attestation method.
• Build Control Enhancement: The build job now utilizes a self-hosted Go build matrix, providing greater control over the compilation process compared to the previous delegated SLSA builder.
• Attestation and Verification Update: Provenance is now generated per binary and stored in GitHub's attestation store, with verification handled by gh attestation verify.
• Configuration Cleanup: Eight .slsa-goreleaser/ configuration files have been removed as they are no longer required by the new workflow.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/release-slsa.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

.github/workflows/release-slsa.yml

Package	Version	License	Issue Type
netresearch/.github/.github/workflows/build-go-attest.yml	main	Null	Unknown License

Allowed Licenses:

MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, MPL-2.0, CC0-1.0, Unlicense

Excluded from license check:

pkg:golang/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp, pkg:golang/go.opentelemetry.io/otel, pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlptrace, pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp, pkg:golang/go.opentelemetry.io/otel/metric, pkg:golang/go.opentelemetry.io/otel/trace, pkg:golang/golang.org/x/crypto, pkg:golang/golang.org/x/sys, pkg:golang/golang.org/x/term, pkg:golang/golang.org/x/text, pkg:golang/golang.org/x/time

OpenSSF Scorecard

Package	Version	Score	Details
actions/netresearch/.github/.github/workflows/build-go-attest.yml	main	Unknown	Unknown

Scanned Files

• .github/workflows/release-slsa.yml

[github-actions]

Automated approval for solo maintainer project

All CI checks passed. See SECURITY.md for compensating controls.

[gemini-code-assist]

Code Review

This pull request migrates the release workflow from slsa-framework/slsa-github-generator to actions/attest-build-provenance. The changes consist of removing configuration files from the .slsa-goreleaser/ directory, which are now obsolete due to the new workflow. The file deletions are consistent with the migration described in the pull request. I have not found any issues in the provided changes.

[Copilot]

Pull request overview

Updates the release pipeline to stop using the SLSA GitHub Generator reusable workflow (which can’t fully comply with SHA-pinning rules) and instead generate build provenance via GitHub’s native attestation store using actions/attest-build-provenance.

Changes:

• Replaced the SLSA reusable workflow-based build with an in-workflow Go build matrix (8 targets).
• Added provenance generation via actions/attest-build-provenance and updated release verification instructions to use gh attestation verify.
• Removed now-unused .slsa-goreleaser/ target config files.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
.github/workflows/release-slsa.yml	Reworks the release build to self-build binaries, attest provenance, and update verification instructions.
.slsa-goreleaser/linux-386.yml	Removed legacy SLSA builder config (no longer needed).
.slsa-goreleaser/linux-amd64.yml	Removed legacy SLSA builder config (no longer needed).
.slsa-goreleaser/linux-arm64.yml	Removed legacy SLSA builder config (no longer needed).
.slsa-goreleaser/linux-armv6.yml	Removed legacy SLSA builder config (no longer needed).
.slsa-goreleaser/linux-armv7.yml	Removed legacy SLSA builder config (no longer needed).
.slsa-goreleaser/darwin-amd64.yml	Removed legacy SLSA builder config (no longer needed).
.slsa-goreleaser/darwin-arm64.yml	Removed legacy SLSA builder config (no longer needed).
.slsa-goreleaser/windows-amd64.yml	Removed legacy SLSA builder config (no longer needed).

[github-actions]

Automated approval for solo maintainer project

All CI checks passed. See SECURITY.md for compensating controls.