From 1b1ec8d8d46055ca07aeab1bbda572b1f26ecc54 Mon Sep 17 00:00:00 2001
From: Alex Crawford <alex@edgebit.io>
Date: Fri, 12 Jul 2024 17:45:17 -0700
Subject: [PATCH] github: generate attestation for release

This will allow folks to verify that the release artifacts were built
by GitHub and not tampered with by me or anyone else (except GitHub).
---
 .github/workflows/release.yaml | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index c3962cc..2d7f773 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -5,12 +5,11 @@ on:
     tags:
       - "**"
 
-permissions:
-  contents: write
-
 jobs:
   release:
     name: Create release
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -21,6 +20,10 @@ jobs:
   assets:
     name: Create artifact
     needs: release
+    permissions:
+      id-token: write
+      attestations: write
+      contents: write
     strategy:
       matrix:
         include:
@@ -46,3 +49,7 @@ jobs:
         env:
           GH_TOKEN: ${{ github.token }}
         run: gh release upload ${{ github.ref_name }} "marker-${{ matrix.target }}"
+      - name: Generate attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: "marker-${{ matrix.target }}"