Add sbom attestations

[spoorcc]

Summary by CodeRabbit

• Documentation

  • Installation guide now includes detailed instructions for verifying dfetch release artifact authenticity and integrity using cryptographic attestations and verification tools.

• Chores

  • Workflow configuration updates enable automated generation, signing, and distribution of cryptographic attestations for all release artifacts.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 72007906-4057-4fde-9d2b-63d2524ea311

📥 Commits

Reviewing files that changed from the base of the PR and between de4b35b and 6534016.

📒 Files selected for processing (4)

• .github/workflows/build.yml
• .github/workflows/ci.yml
• .github/workflows/python-publish.yml
• doc/tutorials/installation.rst

---

Walkthrough

This change adds artifact attestation support to the build and publish workflows by granting additional GitHub permissions (attestations and id-token write access), updating runner egress rules to permit Sigstore service connections, and implementing attestation steps that use CycloneDX SBOM files as predicates. Documentation is added explaining how to verify release artifact integrity using GitHub CLI.

Changes

Cohort / File(s)	Summary
Workflow Attestation Permissions .github/workflows/build.yml, .github/workflows/python-publish.yml	Add attestations: write and id-token: write permissions, update egress restrictions for Sigstore/TUF endpoints, and implement actions/attest steps to generate attestations for binary distributions using CycloneDX SBOM files as predicates.
CI Workflow Permissions .github/workflows/ci.yml	Grant attestations: write and id-token: write permissions to support attestation and OIDC token operations.
Installation Documentation doc/tutorials/installation.rst	Add subsection documenting artifact integrity verification via GitHub CLI attestations with gh attestation verify example and reference links.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested labels

github_actions, documentation

Suggested reviewers

• ben-edna

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add sbom attestations' accurately captures the main change: implementing SBOM attestation functionality across multiple workflows and documentation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/attest-sboms

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}