feat(release): add artifact attestations and SHA256 checksums

[github-actions]

Analyzing changes...

Commits:

• feat(release): add artifact attestations and SHA256 checksums

Changed Files:

.github/workflows/release.yml | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)

Detailed Changes:

[github-actions]

🔍 Automated Checks

🔍 Checking for stale files and out-of-scope changes...

Stale File Check

✅ No stale files detected

Scope Check

Checking file relevance (blocks binaries, temp files, etc.)...

✅ All changes appear relevant (includes .github/ workflows, src/, docs, config)

ℹ️ Note: 1 .github/ file(s) changed - workflows/actions are critical infrastructure

---

Claude is reviewing the code... Check the "Claude Code Review" step for detailed feedback.

[mikkihugo]

✅ Claude AI approved this PR! All checks passed. Will auto-merge when CI is green.

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Limited audit logs: The workflow adds attestation and checksum steps but does not include explicit logging of critical actions (e.g., who triggered release, outcomes of attestation/checksum generation), which may limit auditability depending on existing workflow logging. Referred Code - name: Generate artifact attestation (Unix) if: runner.os != 'Windows' uses: actions/attest-build-provenance@v2 with: subject-path: ${{ matrix.artifact_name }}.tar.gz - name: Generate artifact attestation (Windows) if: runner.os == 'Windows' uses: actions/attest-build-provenance@v2 with: subject-path: ${{ matrix.artifact_name }}.zip - name: Upload artifact uses: actions/upload-artifact@v4 with: name: ${{ matrix.artifact_name }} path: | *.tar.gz *.zip upload-artifacts: ... (clipped 23 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Unhandled failures: The checksum generation and attestation steps rely on shell commands/actions without explicit error handling or conditional checks for absent artifacts beyond a final echo, which may allow silent partial failures in CI. Referred Code - name: Generate SHA256 checksums for binaries run: | find . -name "*.tar.gz" -o -name "*.zip" | while read file; do sha256sum "$file" >> BINARY_SHA256SUMS done cat BINARY_SHA256SUMS || echo "No binary artifacts found" Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label