Adding best practices to the release flow

[nbelenkov]

Problem

We should use trusted publishing and environments across all our repos, so adding them here. Very similar to Pinocchio one, but with the addition of SLSA and a GitHub app for releases, similar to WinCode.

Solution

I am adding the following:

1. prod environment that needs 2 approvals before running
2. OIDC trusted publishing that authenticates the action directly with crates.io
3. Adding SLSA provenance, so that we can verify that the crate has been built on our action in our repo.
4. tags and releases will be limited to only the GitHub app, so the action makes an app token to create a release

What needs to be done before merging:

1. Move all crates that are published here to trusted publishing
2. Set up prod env
3. Create a gh release app

[joncinque]

Makes sense to me! We have a bunch of publishes to get out with #571, so can we wait until those publishes are done before adding this?

I have a small worry about how annoying this process will be if we ever need to make a breaking change at solana-address or something, which essentially requires publishing ~100 crates. Doing that by myself took a few days of clicking a button every 5 minutes.

Maybe at that point we'll need to create a new workflow which just does all the publishes in order. Is that the plan for Agave?

[joncinque]

I'm assuming we don't want artifact metadata storage records, but just making sure: does this also need artifact-metadata: write?

https://github.com/actions/attest-build-provenance?tab=readme-ov-file#usage

[nbelenkov]

good spot, yep we need this here