Implement GitHub Actions build attestations using the attest-build-provenance action and verify the attestation with the GitHub CLI before a downstream deployment job proceeds

Verified steps

1. Add permissions: id-token: write and attestations: write to the build job; after building the artifact, call actions/attest-build-provenance with subject-path pointing to the artifact file
2. The action generates an in-toto attestation bundle and uploads it to the GitHub Attestations API, returning a bundle URL; capture it as a job output
3. In a verification job that depends on the build job, install the GitHub CLI and run gh attestation verify with the artifact path, the expected owner, and the signer workflow URI to confirm the provenance before deployment
4. Use gh attestation verify --deny-self-hosted-runners to reject attestations produced on self-hosted runners that may not have tamper-proof OIDC tokens
5. Store the verified artifact digest in a job output and pass it to the deploy job so the deploy script pulls the exact digest rather than a mutable tag
6. Add a policy step using OPA to evaluate the attestation JSON against a Rego rule that enforces the signer repo, ref, and workflow path before allowing promotion to production