From f4d928d07e417548e73a5f1a4e9ef294f14d7c5f Mon Sep 17 00:00:00 2001
From: Victor Martinez <victormartinezrubio@gmail.com>
Date: Mon, 10 Jun 2024 09:47:16 +0200
Subject: [PATCH] github-action: provenance (#1447)

---
 .github/workflows/release.yml | 32 ++++++++++++++++++++++++++++----
 1 file changed, 28 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 033c80e9b..48dfe63bb 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,13 +4,19 @@ on:
   push:
     tags:
       - "v[0-9]+*"
+    branches:
+      - main
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      attestations: write
+      contents: write
+      id-token: write
     steps:
       - uses: actions/checkout@v4
       - uses: ruby/setup-ruby@v1
@@ -32,13 +38,29 @@ jobs:
           echo '---' > "${RUBY_CREDENTIALS_FILE}"
           echo ":rubygems_api_key: ${API_KEY}" >> "${RUBY_CREDENTIALS_FILE}"
           chmod 0600 "${RUBY_CREDENTIALS_FILE}"
+
       - name: Install build system
         run: .ci/scripts/install-build-system.sh
-      - run: rake release
+
+      - name: rake release (only for tags)
+        run: rake release
+        if: startsWith(github.ref, 'refs/tags')
+
+      - name: rake build
+        run: rake build
+        if:  ${{ ! startsWith(github.ref, 'refs/tags') }}
+
+      - name: generate build provenance
+        uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d  # v1.1.2
+        with:
+          subject-path: "${{ github.workspace }}/pkg/*.gem" 
+      
   update-branch:
     needs:
       - release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@v4
       - uses: ruby/setup-ruby@v1
@@ -48,7 +70,9 @@ jobs:
         uses: elastic/apm-pipeline-library/.github/actions/setup-git@current
       - name: Install build system
         run: .ci/scripts/install-build-system.sh
-      - run: rake release:update_branch
+      - name: rake release:update_branch (only for tags)
+        run: rake release:update_branch
+        if: startsWith(github.ref, 'refs/tags')
 
   status:
     if: always()
@@ -62,7 +86,7 @@ jobs:
         with:
           needs: ${{ toJSON(needs) }}
       - run: ${{ steps.check.outputs.isSuccess }}
-      - if: always()
+      - if: ${{ always() && startsWith(github.ref, 'refs/tags') }}
         uses: elastic/apm-pipeline-library/.github/actions/notify-build-status@current
         with:
           vaultUrl: ${{ secrets.VAULT_ADDR }}