From d24f3ce443d00943a0e7878f6ebcfcf57cbfbe85 Mon Sep 17 00:00:00 2001
From: David Tolnay <dtolnay@gmail.com>
Date: Sun, 26 Jan 2025 14:09:38 -0800
Subject: [PATCH] Mention artifact attestation in readme

---
 README.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/README.md b/README.md
index 4f8beae..28192ac 100644
--- a/README.md
+++ b/README.md
@@ -29,6 +29,14 @@ jobs:
 | `crate` | ✓        | Name of crate as published to crates.io      |
 | `bin`   |          | Name of binary; default = same as crate name |
 
+## Security
+
+Binaries are cryptographically signed and verified using [GitHub artifact
+attestation] to establish the build's provenance, including the specific
+workflow file and workflow run that produced the artifact.
+
+[GitHub artifact attestation]: https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds
+
 ## License
 
 The scripts and documentation in this project are released under the [MIT