Merge pull request #4150 from manugupt1/provenance

AkihiroSuda · web-flow · commit 105ca4d835e3 · 2025-04-24T09:31:39.000+09:00
Add provenance from github actions
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -13,6 +13,12 @@ jobs:
   release:
     runs-on: ubuntu-24.04
     timeout-minutes: 40
+    # The maximum access is "read" for PRs from public forked repos
+    # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
+    permissions:
+      contents: write  # for releases
+      id-token: write  # for provenances
+      attestations: write  # for provenances
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
     - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b  # v5.4.0
@@ -39,6 +45,11 @@ jobs:
         - - -
         Release manager: [ADD YOUR NAME HERE] (@[ADD YOUR GITHUB ID HERE])
         EOF
+    - name: "Generate artifact attestation"
+      uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2  # v2.2.3
+      if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
+      with:
+        subject-path: _output/*
     - name: "Create release"
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
