From 52e32bb441a75d4557afdd00412163770daa8111 Mon Sep 17 00:00:00 2001 From: Alex Crawford Date: Fri, 12 Jul 2024 17:45:17 -0700 Subject: [PATCH] github: generate attestation for release This will allow folks to verify that the release artifacts were built by GitHub and not tampered with by me or anyone else (except GitHub). --- .github/workflows/release.yaml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index f08c8c9..bd86194 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -5,12 +5,11 @@ on: tags: - "**" -permissions: - contents: write - jobs: release: name: Create release + permissions: + contents: write runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -21,6 +20,10 @@ jobs: assets: name: Create artifact needs: release + permissions: + id-token: write + attestations: write + contents: write strategy: matrix: include: @@ -51,8 +54,14 @@ jobs: mkdir -p $NAME cp ${{ steps.build.outputs.path }} $NAME/ tar --create --gzip --file $NAME.tar.gz $NAME/ + echo name=$NAME >> $GITHUB_OUTPUT echo path=$NAME.tar.gz >> $GITHUB_OUTPUT - name: Upload artifact env: GH_TOKEN: ${{ github.token }} run: gh release upload ${{ github.ref_name }} ${{ steps.package.outputs.path }} + - name: Generate attestation + uses: actions/attest-build-provenance@v1 + with: + subject-path: ${{ steps.build.outputs.path }} + subject-name: ${{ steps.package.outputs.name }}