[Infra] Attest DLLs with GitHub Attestations

[martincostello]

Fixes #6350

Changes

Use GitHub Attestations to attest DLL files created by the build.

Validation

• Build from my fork
• Attestation for that build
• Downloading the gh-6350-packages artifact, unzipping it, and extracting the contents of OpenTelemetry.1.11.3-alpha.0.306.nupkg, and running gh attestation verify --owner martincostello .\OpenTelemetry.dll from lib\net8.0 gives the output below:

❯ gh attestation verify --owner martincostello .\OpenTelemetry.dll
Loaded digest sha256:3651fcb5a38b6eac9a89dff9191978a64c7d5397c5ba8cac7f2c77c5f3627e6b for file://OpenTelemetry.dll
Loaded 1 attestation from GitHub API

The following policy criteria will be enforced:
- Predicate type must match:................ https://slsa.dev/provenance/v1
- Source Repository Owner URI must match:... https://github.com/martincostello
- Subject Alternative Name must match regex: (?i)^https://github.com/martincostello/
- OIDC Issuer must match:................... https://token.actions.githubusercontent.com

✓ Verification succeeded!

The following 1 attestation matched the policy criteria

- Attestation #1
  - Build repo:..... martincostello/opentelemetry-dotnet
  - Build workflow:. .github/workflows/publish-packages-1.0.yml@refs/heads/gh-6350
  - Signer repo:.... martincostello/opentelemetry-dotnet
  - Signer workflow: .github/workflows/publish-packages-1.0.yml@refs/heads/gh-6350

Merge requirement checklist

• CONTRIBUTING guidelines followed (license requirements, nullable enabled, static analysis, etc.)
• Unit tests added/updated
• Appropriate CHANGELOG.md files updated for non-trivial changes
• Changes in public API reviewed (if applicable)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.80%. Comparing base (7072855) to head (8cefa1e).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6646      +/-   ##
==========================================
+ Coverage   86.76%   86.80%   +0.04%     
==========================================
  Files         258      258              
  Lines       11958    11958              
==========================================
+ Hits        10375    10380       +5     
+ Misses       1583     1578       -5     

Flag	Coverage Δ
unittests-Project-Experimental	86.73% <ø> (+0.29%)	⬆️
unittests-Project-Stable	86.74% <ø> (-0.02%)	⬇️
unittests-Solution	86.39% <ø> (-0.06%)	⬇️
unittests-UnstableCoreLibraries-Experimental	86.07% <ø> (+0.09%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 2 files with indirect coverage changes

[Copilot]

Pull Request Overview

This PR adds GitHub Artifact Attestations to DLLs in NuGet packages to provide cryptographic verification of build provenance, starting with the 1.14.0 release.

Key Changes:

• Adds attestation workflow step to generate build provenance for DLL files
• Updates documentation with instructions for verifying DLL attestations using GitHub CLI

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/publish-packages-1.0.yml	Adds attestations permission and workflow step to attest DLLs using GitHub's attest-build-provenance action
README.md	Documents the new attestation feature and provides verification instructions for users

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[trask]

cool, answers my question about uses of attestations outside of immutable releases: open-telemetry/sig-security#164 (comment)

[rajkumar-rangaraj]

Thanks @trask