From 35f14fa833a0c8d4aa46e46a173e578f4a9f543d Mon Sep 17 00:00:00 2001 From: Raboneko <119771935+raboneko@users.noreply.github.com> Date: Sat, 4 Apr 2026 23:57:29 -0700 Subject: [PATCH] feat: add build attestation (#10978) (#11077) * feat: add build attestation * chore: Update to v4.1.0 * feat: Update to v4.1.0 --------- (cherry picked from commit 779d744af4dde2bfb0988cba4aec0009d4f75923) Signed-off-by: Kyle Gospodnetich Co-authored-by: Kyle Gospodnetich --- .github/workflows/autobuild.yml | 3 +++ .github/workflows/bootstrap.yml | 10 ++++++++++ .github/workflows/build.yml | 3 +++ .github/workflows/json-build.yml | 11 +++++++++++ 4 files changed, 27 insertions(+) diff --git a/.github/workflows/autobuild.yml b/.github/workflows/autobuild.yml index aeef3601a6..d33171737e 100644 --- a/.github/workflows/autobuild.yml +++ b/.github/workflows/autobuild.yml @@ -3,6 +3,9 @@ name: Automatically build packages permissions: contents: read + attestations: write + artifact-metadata: write + id-token: write on: push: paths: diff --git a/.github/workflows/bootstrap.yml b/.github/workflows/bootstrap.yml index 59ce6d02f3..fbc456f9b1 100644 --- a/.github/workflows/bootstrap.yml +++ b/.github/workflows/bootstrap.yml @@ -1,6 +1,9 @@ name: Bootstrap Andaman and Subatomic permissions: contents: read + attestations: write + artifact-metadata: write + id-token: write on: workflow_dispatch: @@ -79,3 +82,10 @@ jobs: --server https://subatomic.fyralabs.com \ --token ${{ secrets.SUBATOMIC_TOKEN }} \ terra${{ matrix.version }}-source anda-build/rpm/srpm/* + + - name: Attest build provenance + uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 + with: + subject-path: | + anda-build/rpm/rpms/* + anda-build/rpm/srpm/* diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 310757f2bf..e847b76617 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,6 +1,9 @@ name: Manual Builds permissions: contents: read + attestations: write + artifact-metadata: write + id-token: write on: workflow_dispatch: inputs: diff --git a/.github/workflows/json-build.yml b/.github/workflows/json-build.yml index 4b7c7d4332..0f9db09a6c 100644 --- a/.github/workflows/json-build.yml +++ b/.github/workflows/json-build.yml @@ -1,6 +1,9 @@ name: JSON Build permissions: contents: read + attestations: write + artifact-metadata: write + id-token: write on: workflow_call: inputs: @@ -125,6 +128,14 @@ jobs: --token ${{ secrets.SUBATOMIC_TOKEN }} \ terra${{ matrix.version }}${{ matrix.pkg.labels['subrepo'] && '-$subrepo' || '' }}-source anda-build/rpm/srpm/* + - name: Attest build provenance + if: inputs.publish + uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 + with: + subject-path: | + anda-build/rpm/rpms/* + anda-build/rpm/srpm/* + - name: Notify Madoguchi (Success) if: inputs.publish && success() run: ./.github/workflows/mg.sh true "${{matrix.pkg.pkg}}" "${{matrix.version}}" "${{matrix.pkg.arch}}" "${{github.run_id}}" "${{secrets.MADOGUCHI_JWT}}" "$GITHUB_SHA"