From db671fd2c5466e7ab1840c4a8ef9d634149688eb Mon Sep 17 00:00:00 2001
From: Kyle Mendell <ksm@ofkm.us>
Date: Mon, 25 May 2026 09:24:04 -0500
Subject: [PATCH] chore: add back binary signing

---
 .github/workflows/build-next.yml | 6 ++++++
 .github/workflows/release.yml    | 5 +++++
 2 files changed, 11 insertions(+)

diff --git a/.github/workflows/build-next.yml b/.github/workflows/build-next.yml
index 48a9603b..a2a64566 100644
--- a/.github/workflows/build-next.yml
+++ b/.github/workflows/build-next.yml
@@ -14,6 +14,7 @@ permissions:
   contents: read
   packages: write
   id-token: write
+  attestations: write
 
 jobs:
   build-next:
@@ -77,3 +78,8 @@ jobs:
           MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }}
           MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }}
           MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }}
+
+      - name: Binary attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: "dist/pocket-id_**"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2d0467f2..f81b8e64 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -109,6 +109,11 @@ jobs:
           MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }}
           MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }}
 
+      - name: Binary attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: "dist/pocket-id_**"
+
       - name: Publish release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}