extract out sign/verify steps

Author: GrantBirki

.github/workflows/release.yml

@@ -9,6 +9,7 @@ permissions: {}
 
 jobs:
   release:
+    if: github.repository == 'github/gh-combine'
     permissions:
       contents: write
     runs-on: ubuntu-latest
@@ -43,19 +44,34 @@ jobs:
 
   sign:
     needs: release
+    runs-on: ubuntu-latest
     permissions:
       id-token: write
       attestations: write
       contents: read
-    uses: github/salsa/.github/workflows/sign-artifact.yml@main
-    with:
-      artifact-ids: ${{ needs.release.outputs.artifact-id }}
-      artifact-path: "."
+    steps:
+      - uses: actions/download-artifact@54124fbd881f8ce794405a06896c93c49c17463e
+        with:
+          artifact-ids: ${{ needs.release.outputs.artifact-id }}
+
+      - name: attest build provenance
+        uses: actions/[email protected]
+        with:
+          subject-path: "."
 
   verify:
     permissions: {}
+    runs-on: ubuntu-latest
     needs: [release, sign]
-    uses: github/salsa/.github/workflows/verify.yml@main
-    with:
-      artifact-ids: ${{ needs.release.outputs.artifact-id }}
-      artifact-path: "."
+    steps:
+      - uses: actions/download-artifact@54124fbd881f8ce794405a06896c93c49c17463e
+        with:
+          artifact-ids: ${{ needs.release.outputs.artifact-id }}
+
+      - name: verify
+        env:
+          OWNER: ${{ github.repository_owner }}
+          REPO: ${{ github.event.repository.name }}
+          ARTIFACT_PATH: "."
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh attestation verify "$ARTIFACT_PATH" --repo ${OWNER}/${REPO} --signer-workflow ${OWNER}/${REPO}/.github/workflows/release.yml