Generate build provenance for CLI releases

[JamieMagee]

Once this is merged, and a release is created, the CLI binary will be built with the necessary provenance. This will allow us to verify the authenticity of the binary and ensure that it was built from the correct source code. This is an important security feature that will help us maintain the integrity of our releases.

We can verify the provenance using: gh attestation verify command. For example gh attestation verify dependabot --repo dependabot/cli.

[codysoyland]

Looks good to me!

[JamieMagee]

After chatting with @codysoyland offline, he suggested removing the quotes from the multi-line subject-path.

[jeffwidman]

Looks straightforward to me. Cody's the expert, so if he thinks it's good, I'm good! 👍

[JamieMagee]

It works 🎉

$ curl -L -O https://github.com/dependabot/cli/releases/download/v1.62.2/dependabot-v1.62.2-linux-amd64.tar.gz
$ tar xzf dependabot-v1.62.2-linux-amd64.tar.gz
$ gh attestation verify dependabot --owner dependabot
Loaded digest sha256:f54246f86d9706d4aa8b51348201be6931b61da125c4401290917ae09f22a180 for file://dependabot
Loaded 1 attestation from GitHub API

The following policy criteria will be enforced:
- Predicate type must match:................ https://slsa.dev/provenance/v1
- Source Repository Owner URI must match:... https://github.com/dependabot
- Subject Alternative Name must match regex: (?i)^https://github.com/dependabot/
- OIDC Issuer must match:................... https://token.actions.githubusercontent.com

✓ Verification succeeded!

The following 1 attestation matched the policy criteria

- Attestation #1
  - Build repo:..... dependabot/cli
  - Build workflow:. .github/workflows/release.yml@refs/tags/v1.62.2
  - Signer repo:.... dependabot/cli
  - Signer workflow: .github/workflows/release.yml@refs/tags/v1.62.2