Attest contents of NuGet packages (#6)

.github/workflows/dotnet.yaml

@@ -184,10 +184,29 @@ jobs:
     steps:
       - run: echo "All required checks complete."
 
+  attestation:
+    runs-on: ubuntu-latest
+    needs: [all-required-checks-complete]
+    if: ${{ !github.event.repository.fork && github.ref == 'refs/heads/main' }}
+    permissions:
+      id-token: write
+      attestations: write
+      contents: read
+    steps:
+      - name: Download NuGet artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: nuget-package
+          path: packed
+      - name: Attest Build Provenance
+        uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0
+        with:
+          subject-path: "packed/WoofWare.DotnetRuntimeLocator.*.nupkg"
+
   nuget-publish:
     runs-on: ubuntu-latest
     if: ${{ !github.event.repository.fork && github.ref == 'refs/heads/main' }}
-    needs: [all-required-checks-complete]
+    needs: [attestation]
     environment: main-deploy
     steps:
       - uses: actions/checkout@v4