781a297993
Add actions/attest-build-provenance to both build workflows so every binary is attested in the same job that builds it, the only point where provenance meaningfully proves an artifact was built from source rather than uploaded by hand. release.yml (build-tauri): grant id-token and attestations write permissions, then attest the desktop bundles via the tauri-action artifactPaths output, the Android apks, and the Windows portable exe. nightly.yml (build): same permissions plus one step attesting the staged nightly-out binaries. Nightlies ship via download.readest.com, but gh attestation verify is digest based so it verifies them too. Verify a download with: gh attestation verify <file> --repo readest/readest Closes #4848 Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>