From ac2625bec431b1bf8d32f83fc861c9e16aac2651 Mon Sep 17 00:00:00 2001
From: shenxianpeng <xianpeng.shen@gmail.com>
Date: Tue, 4 Jun 2024 16:24:59 +0000
Subject: [PATCH 1/3] feat: support actions/attest-build-provenance

---
 .github/workflows/build-amd64.yml | 10 +++++++++-
 .github/workflows/test.yml        |  2 +-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build-amd64.yml b/.github/workflows/build-amd64.yml
index ba1b3a0..45ef5b0 100644
--- a/.github/workflows/build-amd64.yml
+++ b/.github/workflows/build-amd64.yml
@@ -11,6 +11,10 @@ on:
       - ".github/workflows/build-amd64.yml"
   workflow_dispatch:
 
+permissions:
+  id-token: write
+  attestations: write
+
 jobs:
   build:
     strategy:
@@ -156,12 +160,16 @@ jobs:
         cat clang-tidy-${{ env.suffix }}.sha512sum
         cat clang-apply-replacements-${{ env.suffix }}.sha512sum
     - name: upload artifacts
-      if: ${{ github.actor != 'dependabot[bot]' }} || github.event_name != 'pull_request'
+      if: ${{ github.actor != 'dependabot[bot]' }}
       uses: actions/upload-artifact@v3
       with:
         name: clang-tools
         path: "${{ matrix.release }}${{ matrix.bindir }}/clang-*-${{ env.suffix }}*"
         retention-days: 1
+    - uses: actions/attest-build-provenance@v1
+      with:
+        subject-path: "${{ matrix.release }}${{ matrix.bindir }}/clang-*-${{ env.suffix }}*"
+
   draft-release:
     runs-on: ubuntu-22.04
     if: ${{ github.actor != 'dependabot[bot]' }} || github.event_name != 'pull_request'
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 4abf142..3a07b19 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,4 +1,4 @@
-name: Test Static Binaries
+name: Test static binaries
 
 on:
   workflow_dispatch:

From a3f5519b999f8ec846fd8bf884c006a9b6f1a4b7 Mon Sep 17 00:00:00 2001
From: Peter Shen <xianpeng.shen@gmail.com>
Date: Wed, 5 Jun 2024 01:01:16 +0800
Subject: [PATCH 2/3] Update build-amd64.yml

---
 .github/workflows/build-amd64.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-amd64.yml b/.github/workflows/build-amd64.yml
index 45ef5b0..43566f4 100644
--- a/.github/workflows/build-amd64.yml
+++ b/.github/workflows/build-amd64.yml
@@ -168,7 +168,7 @@ jobs:
         retention-days: 1
     - uses: actions/attest-build-provenance@v1
       with:
-        subject-path: "${{ matrix.release }}${{ matrix.bindir }}/clang-*-${{ env.suffix }}*"
+        subject-path: "${{ matrix.release }}${{ matrix.bindir }}/clang-*-${{ env.suffix }}"
 
   draft-release:
     runs-on: ubuntu-22.04

From 1d6ea3a257f3865a2b1c509e62a8bacceb4810dd Mon Sep 17 00:00:00 2001
From: Peter Shen <xianpeng.shen@gmail.com>
Date: Fri, 14 Jun 2024 00:26:33 +0800
Subject: [PATCH 3/3] Update build-amd64.yml

---
 .github/workflows/build-amd64.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build-amd64.yml b/.github/workflows/build-amd64.yml
index a23776a..cf3366d 100644
--- a/.github/workflows/build-amd64.yml
+++ b/.github/workflows/build-amd64.yml
@@ -170,7 +170,9 @@ jobs:
         name: clang-tools
         path: "${{ matrix.release }}${{ matrix.bindir }}/clang-*-${{ env.suffix }}*"
         retention-days: 1
-    - uses: actions/attest-build-provenance@v1
+    - name: create attestations
+      if: ${{ github.actor != 'dependabot[bot]' }} || github.event_name != 'pull_request'
+      uses: actions/attest-build-provenance@v1
       with:
         subject-path: "${{ matrix.release }}${{ matrix.bindir }}/clang-*-${{ env.suffix }}"