Supply-chain hardening: version pinning, SLSA attestations, fix #506

.agents/skills/release/SKILL.md

@@ -187,11 +187,14 @@ If anything is missing, fix it before proceeding to Phase 4. Common fixes:
 
 3. **The pipeline handles everything else:**
    - Runs tests
-   - Cross-compiles binaries for 5 platforms (macOS ARM64/x64, Linux x64/ARM64, Windows x64)
-   - Compiles paste service binaries (same 5 platforms)
+   - Cross-compiles binaries for 6 platforms (macOS ARM64/x64, Linux x64/ARM64, Windows x64/ARM64)
+   - Compiles paste service binaries (same 6 platforms)
+   - Generates SLSA build provenance attestations for all 12 binaries via `actions/attest-build-provenance` (signed through Sigstore, recorded in Rekor)
    - Creates the GitHub Release with all binaries attached
    - Publishes `@plannotator/opencode` and `@plannotator/pi-extension` to npm with provenance
 
+   **Note on immutable releases:** The repo has GitHub Immutable Releases enabled, so once the `v*` tag is pushed and the release is created, the tag→commit and tag→asset bindings are permanent. You cannot delete and re-create a tag to "fix" a bad release — you must ship a new version. Release notes remain editable (see step 5), but everything else is locked.
+
 4. **Monitor the pipeline:**
    Watch the release workflow run until it completes:
    ```bash

.github/workflows/release.yml

@@ -15,8 +15,7 @@ on:
         default: true
 
 permissions:
-  contents: write
-  id-token: write
+  contents: read
 
 env:
   DRY_RUN: ${{ !(startsWith(github.ref, 'refs/tags/') || inputs.dry-run == 'false') }}
@@ -47,6 +46,15 @@ jobs:
   build:
     needs: test
     runs-on: ubuntu-latest
+    # Build job has NO id-token / attestations permissions. Compilation
+    # itself doesn't need OIDC minting — those capabilities live in the
+    # separate `attest` job below, which only runs on tag pushes. This
+    # ensures PR dry-runs (which exercise `bun install` + compile) never
+    # have OIDC minting available, closing the narrow-but-real
+    # "trusted-contributor compromise lets a malicious build step mint
+    # a repo-identity OIDC token" attack surface.
+    permissions:
+      contents: read
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -85,6 +93,10 @@ jobs:
           bun build apps/hook/server/index.ts --compile --target=bun-windows-x64 --outfile plannotator-win32-x64.exe
           sha256sum plannotator-win32-x64.exe > plannotator-win32-x64.exe.sha256
 
+          # Windows ARM64 (native, via bun-windows-arm64 — stable since Bun v1.3.10)
+          bun build apps/hook/server/index.ts --compile --target=bun-windows-arm64 --outfile plannotator-win32-arm64.exe
+          sha256sum plannotator-win32-arm64.exe > plannotator-win32-arm64.exe.sha256
+
           # Paste service binaries
           bun build apps/paste-service/targets/bun.ts --compile --target=bun-darwin-arm64 --outfile plannotator-paste-darwin-arm64
           sha256sum plannotator-paste-darwin-arm64 > plannotator-paste-darwin-arm64.sha256
@@ -101,6 +113,9 @@ jobs:
           bun build apps/paste-service/targets/bun.ts --compile --target=bun-windows-x64 --outfile plannotator-paste-win32-x64.exe
           sha256sum plannotator-paste-win32-x64.exe > plannotator-paste-win32-x64.exe.sha256
 
+          bun build apps/paste-service/targets/bun.ts --compile --target=bun-windows-arm64 --outfile plannotator-paste-win32-arm64.exe
+          sha256sum plannotator-paste-win32-arm64.exe > plannotator-paste-win32-arm64.exe.sha256
+
       - name: Upload artifacts
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
@@ -109,10 +124,55 @@ jobs:
             plannotator-*
             !*.ts
 
-  release:
+  attest:
+    # Isolated attestation job — runs on tag pushes only and holds the
+    # OIDC minting + attestations-write capabilities that the build job
+    # used to have. Splitting this out means PR builds and non-tag pushes
+    # never get id-token: write granted, closing the trusted-contributor
+    # compromise window where a malicious build step could mint a
+    # repo-identity OIDC token. The attestation is produced against the
+    # same binaries the build job uploaded; attest-build-provenance
+    # publishes the signed bundle to GitHub's attestation store, so the
+    # release job downstream doesn't need any new artifact handling.
     needs: build
     if: startsWith(github.ref, 'refs/tags/')
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
+
+    steps:
+      - name: Download binaries
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: binaries
+
+      - name: Generate SLSA build provenance attestation
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
+        with:
+          subject-path: |
+            plannotator-darwin-arm64
+            plannotator-darwin-x64
+            plannotator-linux-x64
+            plannotator-linux-arm64
+            plannotator-win32-x64.exe
+            plannotator-win32-arm64.exe
+            plannotator-paste-darwin-arm64
+            plannotator-paste-darwin-x64
+            plannotator-paste-linux-x64
+            plannotator-paste-linux-arm64
+            plannotator-paste-win32-x64.exe
+            plannotator-paste-win32-arm64.exe
+
+  release:
+    # Depends on `attest` so the signed provenance exists before the
+    # GitHub Release is published — otherwise there'd be a window where
+    # users could pull the binary and `gh attestation verify` would
+    # race-fail. `needs: attest` implicitly requires `build` too.
+    needs: attest
+    if: startsWith(github.ref, 'refs/tags/')
+    runs-on: ubuntu-latest
     permissions:
       contents: write