Please explain the motivation behind the feature request.

Goose binaries are downloaded and executed in CI/CD environments (e.g., setup-goose-action). Currently, release artifacts have no cryptographic verification mechanism. Consumers cannot verify that binaries were built by block/goose's GitHub Actions. GitHub Artifact Attestations (GA since May 2024) provide zero-config SLSA v1.0 provenance.

Describe the solution you'd like

Add SLSA provenance attestations to release binaries using GitHub's attest-build-provenance action.

permissions:
  id-token: write
  attestations: write

- uses: actions/attest-build-provenance@v3
  with:
    subject-path: 'path/to/binary'

Consumers verify with:

gh attestation verify goose-linux-x86_64 -R block/goose

Describe alternatives you've considered

• Manual checksums (SHA256 files) - requires key management, no provenance
• Cosign signing - more complex setup than GitHub's built-in attestations
• No verification - current state

Additional context

• GitHub Artifact Attestations docs

• SLSA Provenance specification

• OpenSSF Scorecard - Signed Releases

• I have verified this does not duplicate an existing feature request