Build provenance attestation

2025-04-21 06:19:08 +00:00 · 2024-06-01 02:00:45 +02:00 · 2024-06-01 02:00:45 +02:00 · 4554d3bc55
commit 4554d3bc55
parent a082a6f45b
1 changed files with 23 additions and 3 deletions
--- a/.github/workflows/publish-exe.yml
+++ b/.github/workflows/publish-exe.yml
@ -8,6 +8,12 @@ name: Publish Releases
 jobs:
  build_publish:
    name: Publishing Tasks
+
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
+
    strategy:
      matrix:
        target:
@ -84,10 +90,24 @@ jobs:
            fi
          fi

-      # Enable build verification
-      - name: Verifiable Build
+      # Support verifiable builds
+      - name: Calculate hashes
        shell: bash
-        run: sha256sum ./mypubdir4/*
+        run: |
+          echo "--- BEGIN SHA256SUM ---"
+          sha256sum ./mypubdir4/*
+          echo "--- END SHA256SUM ---"
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: bin
+          path: mypubdir4/*
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: mypubdir4/*

      - name: Publish
        uses: softprops/action-gh-release@v1