docs: strengthen public security signals

.github/workflows/release.yml

@@ -6,7 +6,7 @@ on:
       - 'V*'
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   build:
@@ -58,6 +58,10 @@ jobs:
     name: Publish Release
     needs: build
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      attestations: write
+      id-token: write
     steps:
       - name: Download all artifacts
         uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
@@ -69,16 +73,32 @@ jobs:
       - name: Display structure of downloaded files
         run: ls -R bin/
 
+      - name: Generate release checksums
+        run: |
+          cd bin
+          mapfile -t release_files < <(find . -maxdepth 1 -type f -printf '%P\n' | sort)
+          if [[ ${#release_files[@]} -eq 0 ]]; then
+            echo "No release assets found"
+            exit 1
+          fi
+          sha256sum "${release_files[@]}" > SHA256SUMS
+          cat SHA256SUMS
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-path: |
+            bin/analyze-darwin-*
+            bin/status-darwin-*
+            bin/binaries-darwin-*.tar.gz
+            bin/SHA256SUMS
+
       - name: Create Release
         uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
         if: startsWith(github.ref, 'refs/tags/')
         with:
           name: ${{ github.ref_name }}
           files: bin/*
-          body: |
-            Release assets are ready.
-
-            Final curated release notes should be applied with `gh release edit` after workflow verification.
           generate_release_notes: false
           draft: false
           prerelease: false