Add build provenance visibility to releases

Mosh-K · Mosh-K · commit 35b629e2066c · 2026-04-09T01:14:59.000+03:00
- Rename release zip to *-bin.zip to distinguish from GitHub's auto-generated source zip
- Add provenance verification instructions to release notes body
- Add attestation badge to README
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -33,3 +33,13 @@ jobs:
         uses: softprops/action-gh-release@v2
         with:
           files: bin/*.zip
+          body: |
+            ## Verify provenance
+
+            The release zip is built and signed via GitHub Actions. Verify with the [GitHub CLI](https://cli.github.com/):
+
+            ```
+            gh attestation verify <XrmTypeScript-vX.X.X-bin.zip> --repo Mosh-K/XrmTypeScript
+            ```
+
+            [View attestations](https://github.com/Mosh-K/XrmTypeScript/attestations)
diff --git a/README.md b/README.md
@@ -2,6 +2,7 @@
 
 [![CI](https://github.com/Mosh-K/XrmTypeScript/actions/workflows/ci.yml/badge.svg)](https://github.com/Mosh-K/XrmTypeScript/actions/workflows/ci.yml)
 [![Release](https://img.shields.io/github/v/release/Mosh-K/XrmTypeScript)](https://github.com/Mosh-K/XrmTypeScript/releases/latest)
+[![Attestation](https://img.shields.io/badge/build-attested-brightgreen?logo=github)](https://github.com/Mosh-K/XrmTypeScript/attestations)
 
 XrmTypeScript generates TypeScript declaration files from your Dynamics 365 / Power Apps solution,
 giving you full intellisense and compile-time type safety for form scripting and Web API development.
diff --git a/build.fsx b/build.fsx
@@ -94,7 +94,7 @@ let runXts () =
 let zip tag =
     let buildOutDir = "src/bin/Release/net462"
     let stageDir    = "temp/zipstage"
-    let zipPath     = $"bin/XrmTypeScript-{tag}.zip"
+    let zipPath     = $"bin/XrmTypeScript-{tag}-bin.zip"
 
     cleanDir stageDir
 
