feat: add build verification and attestation to releases

- Generate SHA256 checksums for each release
- Add GitHub Actions build attestation
- Create VERIFICATION.md for each release
- Include verification instructions in release notes
- Document reproducible build process

Author: explicitcontextualunderstanding

.github/workflows/release.yml

@@ -3,63 +3,148 @@ name: Release
 on:
   push:
     tags:
-      - 'v*'
+    - 'v*'
   workflow_dispatch:
     inputs:
       version:
         description: 'Release version (e.g., v1.0.0)'
         required: false
         type: string
 
+permissions:
+  contents: write
+  attestations: write
+  id-token: write
+
 jobs:
   build-release:
     runs-on: macos-26
 
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Setup Swift
-        uses: maartene/setup-swift@main
-        with:
-          swift-version: '6.2'
-
-      - name: Build Release
-        run: swift build -c release
-
-      - name: Create Release
-        if: github.event_name == 'push'
-        uses: softprops/action-gh-release@v1
-        with:
-          name: ${{ github.ref_name }}
-          draft: false
-          prerelease: ${{ contains(github.ref_name, 'alpha') || contains(github.ref_name, 'beta') }}
-          files: |
-            .build/release/container-compose
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Upload to Release
-        if: github.event_name == 'workflow_dispatch'
-        run: |
-          # Create release if it doesn't exist
-          VERSION="${{ github.inputs.version || 'latest' }}"
-          TAG="v${VERSION#v}"
-
-          # Create or get release ID
-          RELEASE_ID=$(gh api repos/${{ github.repository }}/releases/tags/$TAG --jq '.id' 2>/dev/null || echo "")
-
-          if [ -z "$RELEASE_ID" ]; then
-            RELEASE_ID=$(gh api repos/${{ github.repository }}/releases -X POST \
-              --field tag_name="$TAG" \
-              --field name="$TAG" \
-              --field draft=false \
-              --jq '.id')
-          fi
-
-          # Upload asset
-          gh api repos/${{ github.repository }}/releases/$RELEASE_ID/assets \
-            -F "file=@.build/release/container-compose" \
-            -F "name=container-compose"
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Setup Swift
+      uses: maartene/setup-swift@main
+      with:
+        swift-version: '6.2'
+
+    - name: Build Release
+      run: swift build -c release
+
+    - name: Generate SHA256 Checksum
+      id: checksum
+      run: |
+        shasum -a 256 .build/release/container-compose | awk '{print $1}' > .build/release/container-compose.sha256
+        echo "sha256=$(cat .build/release/container-compose.sha256)" >> $GITHUB_OUTPUT
+        echo "Binary SHA256: $(cat .build/release/container-compose.sha256)"
+
+    - name: Attest Build Provenance
+      uses: actions/attest-build-provenance@v1
+      with:
+        subject-path: '.build/release/container-compose'
+
+    - name: Generate Verification Instructions
+      run: |
+        cat > .build/release/VERIFICATION.md << 'EOF'
+        # Binary Verification
+
+        ## SHA256 Checksum
+        ```
+        ${{ steps.checksum.outputs.sha256 }}  container-compose
+        ```
+
+        ## Verify Download
+        ```bash
+        # macOS/Linux
+        shasum -a 256 ./container-compose | grep ${{ steps.checksum.outputs.sha256 }}
+
+        # Should output matching hash
+        ```
+
+        ## Build Reproducibility
+        This binary was built with:
+        - macOS 26.x
+        - Xcode 26.3
+        - Swift 6.2
+        - Apple Silicon (arm64)
+
+        ## Attestation
+        This release includes cryptographic attestation via GitHub Actions.
+        Verify attestation: `gh attestation verify container-compose --owner explicitcontextualunderstanding`
+
+        ## Source Code
+        Tagged commit: ${{ github.sha }}
+        Compare: https://github.com/${{ github.repository }}/compare/${{ github.ref_name }}
+        EOF
+
+    - name: Create Release with Verification
+      if: github.event_name == 'push'
+      uses: softprops/action-gh-release@v1
+      with:
+        name: ${{ github.ref_name }}
+        draft: false
+        prerelease: ${{ contains(github.ref_name, 'alpha') || contains(github.ref_name, 'beta') }}
+        files: |
+          .build/release/container-compose
+          .build/release/container-compose.sha256
+          .build/release/VERIFICATION.md
+        body: |
+          ## Verification
+
+          **SHA256:** `${{ steps.checksum.outputs.sha256 }}`
+
+          Verify your download:
+          ```bash
+          shasum -a 256 ./container-compose | grep ${{ steps.checksum.outputs.sha256 }}
+          ```
+
+          **Build Attestation:** This release includes cryptographic attestation.
+          ```bash
+          gh attestation verify container-compose --owner explicitcontextualunderstanding
+          ```
+
+          See VERIFICATION.md for full details.
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Upload to Release (workflow_dispatch)
+      if: github.event_name == 'workflow_dispatch'
+      run: |
+        # Create release if it doesn't exist
+        VERSION="${{ github.inputs.version || 'latest' }}"
+        TAG="v${VERSION#v}"
+
+        # Create or get release ID
+        RELEASE_ID=$(gh api repos/${{ github.repository }}/releases/tags/$TAG --jq '.id' 2>/dev/null || echo "")
+
+        if [ -z "$RELEASE_ID" ]; then
+          RELEASE_ID=$(gh api repos/${{ github.repository }}/releases -X POST \
+            --field tag_name="$TAG" \
+            --field name="$TAG" \
+            --field draft=false \
+            --field body="## Verification
+
+          **SHA256:** \`${{ steps.checksum.outputs.sha256 }}\`
+
+          Verify your download:
+          \`\`\`bash
+          shasum -a 256 ./container-compose | grep ${{ steps.checksum.outputs.sha256 }}
+          \`\`\`
+
+          See full verification instructions in VERIFICATION.md" \
+            --jq '.id')
+        fi
+
+        # Upload assets
+        gh api repos/${{ github.repository }}/releases/$RELEASE_ID/assets \
+          -F "file=@.build/release/container-compose" \
+          -F "name=container-compose"
+        gh api repos/${{ github.repository }}/releases/$RELEASE_ID/assets \
+          -F "file=@.build/release/container-compose.sha256" \
+          -F "name=container-compose.sha256"
+        gh api repos/${{ github.repository }}/releases/$RELEASE_ID/assets \
+          -F "file=@.build/release/VERIFICATION.md" \
+          -F "name=VERIFICATION.md"
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

VERIFICATION.md

@@ -0,0 +1,117 @@
+# Binary Verification
+
+This document describes how to verify that your downloaded `container-compose` binary matches the source code in this repository.
+
+## Release Checksums
+
+Each release includes a SHA256 checksum file. You can verify your download matches the official release.
+
+### Latest Release (v0.10.1)
+
+| File | SHA256 |
+|------|--------|
+| container-compose | *(See release notes for current hash)* |
+
+## Verification Steps
+
+### 1. Download and Verify
+
+```bash
+# Download the binary
+curl -L -o container-compose \
+  https://github.com/explicitcontextualunderstanding/Container-Compose/releases/latest/download/container-compose
+
+# Download the checksum file
+curl -L -o container-compose.sha256 \
+  https://github.com/explicitcontextualunderstanding/Container-Compose/releases/latest/download/container-compose.sha256
+
+# Verify
+shasum -a 256 -c container-compose.sha256
+
+# Or manually check
+shasum -a 256 ./container-compose
+```
+
+### 2. GitHub Attestation
+
+Each release is cryptographically attested via GitHub Actions. Verify the attestation:
+
+```bash
+# Using GitHub CLI
+gh attestation verify container-compose --owner explicitcontextualunderstanding
+
+# Or with specific release
+gh attestation verify container-compose \
+  --repo explicitcontextualunderstanding/Container-Compose \
+  --predicate-type https://slsa.dev/provenance/v1
+```
+
+## Reproducible Builds
+
+You can rebuild the binary from source and compare:
+
+### Build Environment
+
+- **OS**: macOS 26.x
+- **Xcode**: 26.3
+- **Swift**: 6.2
+- **Architecture**: arm64 (Apple Silicon)
+
+### Build Steps
+
+```bash
+# Clone the repository
+git clone https://github.com/explicitcontextualunderstanding/Container-Compose.git
+cd Container-Compose
+
+# Checkout the release tag
+git checkout v0.10.1
+
+# Build release binary
+./build-release.sh
+
+# Generate checksum
+shasum -a 256 .build/release/container-compose
+```
+
+### Expected Result
+
+The SHA256 hash should match the release checksum file. Note that fully reproducible builds require the exact same toolchain versions.
+
+## Security
+
+### Trust Model
+
+1. **Source Code**: Publicly auditable on GitHub
+2. **CI/CD**: GitHub Actions with transparent build logs
+3. **Attestation**: Cryptographic proof of build provenance
+4. **Checksums**: SHA256 for integrity verification
+
+### Reporting Issues
+
+If verification fails:
+1. Check your download completed successfully
+2. Verify you're using the correct platform binary
+3. Open an issue at: https://github.com/explicitcontextualunderstanding/Container-Compose/issues
+
+## Verification Automation
+
+Add to your CI/CD pipeline:
+
+```yaml
+- name: Verify container-compose
+  run: |
+    curl -L -o container-compose.sha256 \
+      https://github.com/explicitcontextualunderstanding/Container-Compose/releases/download/v0.10.1/container-compose.sha256
+    EXPECTED_HASH=$(cut -d' ' -f1 container-compose.sha256)
+    ACTUAL_HASH=$(shasum -a 256 /usr/local/bin/container-compose | cut -d' ' -f1)
+    if [ "$EXPECTED_HASH" != "$ACTUAL_HASH" ]; then
+      echo "Verification failed! Expected: $EXPECTED_HASH, Got: $ACTUAL_HASH"
+      exit 1
+    fi
+    echo "✓ Binary verified"
+```
+
+---
+
+*Last updated: 2026-03-24*