Generate artifact attestation

ntkme · ntkme · commit 6a9fb83bac1a · 2025-03-24T09:37:21.000-07:00
diff --git a/.github/workflows/build-linux.yml b/.github/workflows/build-linux.yml
@@ -10,6 +10,10 @@ jobs:
 
     runs-on: ubuntu-latest
 
+    permissions:
+      attestations: write
+      id-token: write
+
     strategy:
       fail-fast: false
       matrix:
@@ -127,6 +131,12 @@ jobs:
           dart run grinder pkg-standalone-${{ matrix.target }}
           EOF
 
+      - name: Generate artifact attestation
+        if: github.ref_type == 'tag'
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: build/*.tar.gz
+
       - name: Upload Artifact
         uses: actions/upload-artifact@v4
         with:
diff --git a/.github/workflows/build-macos.yml b/.github/workflows/build-macos.yml
@@ -10,6 +10,10 @@ jobs:
 
     runs-on: ${{ matrix.runner }}
 
+    permissions:
+      attestations: write
+      id-token: write
+
     strategy:
       fail-fast: false
       matrix:
@@ -28,6 +32,12 @@ jobs:
       - name: Build
         run: dart run grinder pkg-standalone-macos-${{ matrix.arch }}
 
+      - name: Generate artifact attestation
+        if: github.ref_type == 'tag'
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: build/*.tar.gz
+
       - name: Upload Artifact
         uses: actions/upload-artifact@v4
         with:
diff --git a/.github/workflows/build-windows.yml b/.github/workflows/build-windows.yml
@@ -10,6 +10,10 @@ jobs:
 
     runs-on: ${{ matrix.runner }}
 
+    permissions:
+      attestations: write
+      id-token: write
+
     strategy:
       fail-fast: false
       matrix:
@@ -30,6 +34,12 @@ jobs:
       - name: Build
         run: dart run grinder pkg-standalone-windows-${{ matrix.arch }}
 
+      - name: Generate artifact attestation
+        if: github.ref_type == 'tag'
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: build/*.zip
+
       - name: Upload Artifact
         uses: actions/upload-artifact@v4
         with:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -15,7 +15,7 @@ jobs:
     name: Double-check
     runs-on: ubuntu-latest
     needs: [test]
-    if: "startsWith(github.ref, 'refs/tags/') && github.event.repository.fork == false"
+    if: "github.ref_type == 'tag' && github.event.repository.fork == false"
 
     steps:
       - uses: actions/checkout@v4
@@ -27,14 +27,16 @@ jobs:
 
   test_vendor:
     needs: [double_check]
-    if: "startsWith(github.ref, 'refs/tags/') && github.event.repository.fork == false"
+    if: "github.ref_type == 'tag' && github.event.repository.fork == false"
     uses: ./.github/workflows/test-vendor.yml
     secrets: inherit
 
   release:
     needs: [test_vendor]
-    if: "startsWith(github.ref, 'refs/tags/') && github.event.repository.fork == false"
+    if: "github.ref_type == 'tag' && github.event.repository.fork == false"
     permissions:
+      attestations: write
       contents: write
+      id-token: write
     uses: ./.github/workflows/release.yml
     secrets: inherit
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -5,14 +5,23 @@ on:
 
 jobs:
   build_linux:
+    permissions:
+      attestations: write
+      id-token: write
     uses: ./.github/workflows/build-linux.yml
     secrets: inherit
 
   build_macos:
+    permissions:
+      attestations: write
+      id-token: write
     uses: ./.github/workflows/build-macos.yml
     secrets: inherit
 
   build_windows:
+    permissions:
+      attestations: write
+      id-token: write
     uses: ./.github/workflows/build-windows.yml
     secrets: inherit
 
