attestations

Putnam3145 · Nov 9, 2024 · 22226ab · 22226ab
1 parent 5cba402
commit 22226ab
Showing 1 changed file with 20 additions and 11 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,5 +1,9 @@
 name: Build Release
 
+permissions:
+    id-token: write
+    attestations: write
+
 on:
     release:
         types: [published]
@@ -59,11 +63,6 @@ jobs:
                   args: --target i686-unknown-linux-gnu --release --features katmos
               if: matrix.os == 'ubuntu-20.04'
 
-            - name: Write checksum to a file
-              shell: bash
-              run: |
-                  sha256sum "target/${{ matrix.target_name }}/release/${{ matrix.artifact_name }}" | tee ${{ matrix.artifact_name }}.sha256
-
             - name: Create bindings (Ubuntu)
               uses: actions-rs/cargo@v1
               with:
@@ -72,13 +71,22 @@ jobs:
                   args: --target i686-unknown-linux-gnu --release --features katmos --package auxmos --lib -- generate_binds --exact --show-output
               if: matrix.os == 'ubuntu-20.04'
 
-            - name: Upload checksum files to release
-              uses: svenstaro/upload-release-action@v1-release
+            - name: Generate build provenance (Binaries)
+              uses: actions/attest-build-provenance@v1
               with:
-                  repo_token: ${{ secrets.GITHUB_TOKEN }}
-                  file: ${{ matrix.artifact_name }}.sha256
-                  asset_name: ${{ matrix.artifact_name }}.sha256
-                  tag: ${{ github.ref }}
+                  subject-path: target/${{ matrix.target_name }}/release/${{ matrix.artifact_name }}
+
+            - name: Generate build provenance (Debug information)
+              uses: actions/attest-build-provenance@v1
+              with:
+                  subject-path: target/${{ matrix.target_name }}/release/${{ matrix.debug_pdb_name }}
+              if: matrix.os == 'windows-latest'
+
+            - name: Generate build provenance (Bindings)
+              uses: actions/attest-build-provenance@v1
+              with:
+                  subject-path: bindings.dm
+              if: matrix.os == 'ubuntu-20.04'
 
             - name: Upload binary to release
               uses: svenstaro/upload-release-action@v1-release
@@ -104,3 +112,4 @@ jobs:
                   file: bindings.dm
                   asset_name: bindings.dm
                   tag: ${{ github.ref }}
+              if: matrix.os == 'ubuntu-20.04'