feat(security): replace curl with gh release download and add attestation verification (#109)

- Replace unauthenticated curl download with gh release download
  authenticated via GH_TOKEN; avoids anonymous API rate limits on
  shared runners
- Add gh attestation verify before tar extraction to validate SLSA v1
  provenance published by block/goose since v1.28.0
- Add set -euo pipefail to install step; removes need for per-command
  error checks and empty-file guard
- Replace mktemp file with mktemp -d directory; update trap accordingly
- Add GH_TOKEN env to install step (scoped, not global)

Aligns with clouatre-labs/aptu action.yml patterns.

Closes #5994

Signed-off-by: Hugues Clouâtre <hugues@linux.com>

Author: clouatre

action.yml

@@ -94,19 +94,20 @@ runs:
       id: install
       if: steps.cache-goose.outputs.cache-hit != 'true'
       shell: bash
+      env:
+        GH_TOKEN: ${{ github.token }}
       run: |
+        set -euo pipefail
         VERSION="${{ steps.resolve-version.outputs.version }}"
-        echo "::group::Installing Goose v$VERSION"
         mkdir -p ~/.local/bin
-        
-        # Validate version format (semver: X.Y.Z or X.Y.Z-prerelease)
+        echo "::group::Installing Goose v$VERSION"
+
         VERSION="${VERSION#v}"
         if ! [[ "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-.+)?$ ]]; then
           echo "::error::Invalid version format: '$VERSION'. Expected semver (e.g., 1.19.1 or 1.20.0-beta)"
           exit 1
         fi
-        
-        # Determine architecture
+
         ARCH="${{ runner.arch }}"
         if [ "$ARCH" = "X64" ]; then
           GOOSE_ARCH="x86_64"
@@ -116,31 +117,15 @@ runs:
           echo "::error::Unsupported architecture: $ARCH"
           exit 1
         fi
-        
-        # Download and extract
-        DOWNLOAD_URL="https://github.com/block/goose/releases/download/v$VERSION/goose-${GOOSE_ARCH}-unknown-linux-gnu.tar.bz2"
-        echo "Downloading from: $DOWNLOAD_URL"
-        
-        TEMP_TAR=$(mktemp)
-        trap "rm -f $TEMP_TAR" EXIT
-        
-        if ! curl -fsSL "$DOWNLOAD_URL" -o "$TEMP_TAR"; then
-          echo "::error::Failed to download Goose. Check version and network."
-          exit 1
-        fi
-        
-        if [ ! -s "$TEMP_TAR" ]; then
-          echo "::error::Downloaded file is empty. Version $VERSION may not exist."
-          exit 1
-        fi
-        
-        if ! tar -xj -C ~/.local/bin -f "$TEMP_TAR"; then
-          echo "::error::Failed to extract Goose binary."
-          exit 1
-        fi
-        
-        chmod +x ~/.local/bin/goose
-        
+
+        ARCHIVE="goose-${GOOSE_ARCH}-unknown-linux-gnu.tar.bz2"
+        TEMP_DIR=$(mktemp -d)
+        trap 'rm -rf "$TEMP_DIR"' EXIT
+        echo "Downloading $ARCHIVE"
+        gh release download "v${VERSION}" -R block/goose --pattern "${ARCHIVE}" -D "$TEMP_DIR"
+        gh attestation verify "$TEMP_DIR/${ARCHIVE}" -R block/goose
+        tar -xj -C ~/.local/bin -f "$TEMP_DIR/${ARCHIVE}"
+
         echo "::endgroup::"
 
     - name: Setup PATH