CI: Generate Artifact Attestations for release artifacts

str4d · Aug 28, 2024 · 9343af9 · 9343af9
1 parent 05f996c
commit 9343af9
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -11,6 +11,11 @@ on:
         required: true
         default: 'true'
 
+permissions:
+  attestations: write
+  contents: write
+  id-token: write
+
 jobs:
   build:
     name: Publish for ${{ matrix.name }}
@@ -113,6 +118,11 @@ jobs:
         shell: bash
         if: matrix.name == 'windows'
 
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: 'release/rage/*'
+
       - name: Upload archive as artifact
         uses: actions/upload-artifact@v4
         with:
@@ -299,6 +309,11 @@ jobs:
       - name: cargo deb
         run: cargo deb --package rage --no-build --target ${{ matrix.target }} ${{ matrix.deb_flags }}
 
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: 'target/${{ matrix.target }}/debian/*.deb'
+
       - name: Upload Debian package as artifact
         uses: actions/upload-artifact@v4
         with: