Add SLSA generic generator workflow

[Kelleretoro]

This workflow generates SLSA provenance files for projects, satisfying level 3 requirements. It includes steps for building artifacts and generating subject hashes for provenance verification.

🎉 Thanks for submitting a pull request! 🎉

Summary

Fixes #<replace_with_issue_number>

---

For us to review and ship your PR efficiently, please perform the following steps:

• Open a bug/issue before writing your code 🧑‍💻. This ensures
  we can discuss the changes and get feedback from everyone that should be involved. If you`re fixing a typo or
  something that`s on fire 🔥 (e.g. incident related), you can skip this step.
• Read the contribution guidelines 📖. This ensures
  your code follows our style guide and passes our tests.
• Update or add tests (if any source code was changed or added) 🧪
• Update or add documentation (if features were changed or added) 📝
• Make sure the status checks below are successful ✅

A picture of a cute animal (not mandatory, but encouraged)

[Copilot]

Pull request overview

This PR adds a GitHub Actions workflow for generating SLSA (Supply-chain Levels for Software Artifacts) level 3 provenance files. The workflow is triggered on release creation or manual dispatch, builds artifacts, generates cryptographic hashes, and creates signed provenance attestations using the official SLSA framework generator.

Key Changes

• Adds SLSA provenance generation workflow with build and provenance jobs
• Implements artifact hashing for supply chain security verification
• Configures automatic provenance upload to releases

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Inconsistent action version. All other workflows in this repository use actions/checkout@v5. Update to v5 for consistency.

Suggested change

	- uses: actions/checkout@v4
	- uses: actions/checkout@v5

[Copilot]

Inconsistent runner version. All other workflows in this repository use specific Ubuntu versions like ubuntu-24.04 instead of ubuntu-latest. Using a specific version ensures more predictable and reproducible builds.

Suggested change

	runs-on: ubuntu-latest
	runs-on: ubuntu-24.04

[Copilot]

Variable name mismatch. The output is set to 'hashes' but line 23 declares the job output as 'digests', which is referenced in line 65. Change 'hashes' to 'digests' to match the expected output name.

Suggested change

	echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}"
	echo "digests=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}"

[Copilot]

Using ls with a glob pattern can fail if no files match, causing the workflow to fail ungracefully. Consider using a more robust approach like files=$(find . -maxdepth 1 -name 'artifact*' -type f) or add error handling to check if files exist before processing.

Suggested change

	files=$(ls artifact*)
	files=$(find . -maxdepth 1 -name 'artifact*' -type f)
	if [ -z "$files" ]; then
	echo "No artifact files found. Exiting." >&2
	exit 1
	fi

[Copilot]

The 'Build artifacts' step contains placeholder/example code. The comments indicate this should be replaced with actual build commands (see line 30 comment 'Step 1: Build your artifacts'). Consider adding a clearer TODO or FIXME comment to make it explicit that this needs customization, or provide more specific guidance on what should replace this section.

Suggested change

	# These are some amazing artifacts.
	# TODO: Replace the following example commands with your actual build steps.
	# These are placeholder artifacts for demonstration purposes.