From 6d468b73e4a17721f220148eea0fdc0588f4f372 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ege=20=C3=87etin?=
 <64282645+egecetin@users.noreply.github.com>
Date: Wed, 4 Sep 2024 09:59:10 +0300
Subject: [PATCH] prevent attestation pollution (#1567)

---
 .github/workflows/package.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
index a037cfbf38..18be35778a 100644
--- a/.github/workflows/package.yml
+++ b/.github/workflows/package.yml
@@ -71,6 +71,7 @@ jobs:
         run: cmake --build "$BUILD_DIR" --target package
 
       - name: Generate artifact attestation
+        if: github.ref_type == 'tag'
         uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
         with:
           subject-path: "${{ env.BUILD_DIR }}/*.tar.gz,${{ env.BUILD_DIR }}/*.deb,${{ env.BUILD_DIR }}/*.rpm"
@@ -113,6 +114,7 @@ jobs:
             cmake --build "$BUILD_DIR" --target package
 
       - name: Generate artifact attestation
+        if: github.ref_type == 'tag'
         uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
         with:
           subject-path: "${{ env.BUILD_DIR }}/*.tar.gz"
@@ -156,6 +158,7 @@ jobs:
         run: cmake --build "$BUILD_DIR" --target package
 
       - name: Generate artifact attestation
+        if: github.ref_type == 'tag'
         uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
         with:
           subject-path: "${{ env.BUILD_DIR }}/*.tar.gz,${{ env.BUILD_DIR }}/*.pkg"
@@ -226,6 +229,7 @@ jobs:
         run: cmake --build "$BUILD_DIR" --target package
 
       - name: Generate artifact attestation
+        if: github.ref_type == 'tag'
         uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
         with:
           subject-path: "${{ env.BUILD_DIR }}/*.zip"
@@ -275,6 +279,7 @@ jobs:
         run: cmake --build "$env:BUILD_DIR" --config ${{ matrix.configuration }} --target package
 
       - name: Generate artifact attestation
+        if: github.ref_type == 'tag'
         uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
         with:
           subject-path: "${{ env.BUILD_DIR }}/*.zip"
@@ -365,6 +370,7 @@ jobs:
           tar cvf "${PACKAGE_DIR}.tar.gz" "${PACKAGE_DIR}"
 
       - name: Generate artifact attestation
+        if: github.ref_type == 'tag'
         uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
         with:
           subject-path: "${{ env.PACKAGE_DIR }}.tar.gz"