add workflow attaching SLSA provinence to draft release

.github/workflows/release.yml

@@ -0,0 +1,34 @@
+name: Release New Version
+
+on:
+  push:
+    tags: '[0-9]+.[0-9]?[0-9]?[0-9]?.?[0-9]+'
+
+jobs:
+  release:
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Collect artifacts
+        run: |
+          wget -q https://github.com/PrivateBin/PrivateBin/archive/refs/tags/${GITHUB_REF_NAME}.tar.gz
+          wget -q https://github.com/PrivateBin/PrivateBin/archive/refs/tags/${GITHUB_REF_NAME}.zip
+
+      - name: Generate hashes
+        shell: bash
+        id: hash
+        run: echo "hashes=$(sha256sum ${GITHUB_REF_NAME} | base64 -w0)" >> "$GITHUB_OUTPUT"
+
+  provenance:
+    needs:
+      - release
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
+    with:
+      base64-subjects: "${{ needs.release.outputs.hashes }}"
+      draft-release: true
+      upload-assets: true