Ah, I think you might be pleasantly surprised that this is an area being focused on right now with attestations[1] for example, here are the attestations for the GitHub CLI[2].
Maybe this whole cryptographic stuff has some use, but all that which was needed was for GitHub to declare when a file was uploaded manually and when by a workflow (specifying which workflow).
This looks so complex that it might well be just smoke and mirrors
1: https://github.blog/2024-05-02-introducing-artifact-attestat...
2: https://github.com/cli/cli/attestations