github: generate attestation for release

This will allow folks to verify that the release artifacts were built by GitHub and not tampered with by me or anyone else (except GitHub).
crawford · Jul 13, 2024 · 1b1ec8d · 1b1ec8d
1 parent 03b4979
commit 1b1ec8d
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -5,12 +5,11 @@ on:
     tags:
       - "**"
 
-permissions:
-  contents: write
-
 jobs:
   release:
     name: Create release
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -21,6 +20,10 @@ jobs:
   assets:
     name: Create artifact
     needs: release
+    permissions:
+      id-token: write
+      attestations: write
+      contents: write
     strategy:
       matrix:
         include:
@@ -46,3 +49,7 @@ jobs:
         env:
           GH_TOKEN: ${{ github.token }}
         run: gh release upload ${{ github.ref_name }} "marker-${{ matrix.target }}"
+      - name: Generate attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: "marker-${{ matrix.target }}"