From 886a9b8a351f0afdb56a1d24aea768fa3b455ef4 Mon Sep 17 00:00:00 2001
From: Gilver <roachy@fyralabs.com>
Date: Thu, 7 May 2026 01:12:19 -0500
Subject: [PATCH] [f43] chore: Backport build attestations (#12033)

---
 .github/workflows/autobuild.yml  |  3 +++
 .github/workflows/bootstrap.yml  | 10 ++++++++++
 .github/workflows/build.yml      |  3 +++
 .github/workflows/json-build.yml | 11 +++++++++++
 4 files changed, 27 insertions(+)

diff --git a/.github/workflows/autobuild.yml b/.github/workflows/autobuild.yml
index 0587695b15..c565ec1149 100644
--- a/.github/workflows/autobuild.yml
+++ b/.github/workflows/autobuild.yml
@@ -3,6 +3,9 @@
 name: Automatically build packages
 permissions:
   contents: read
+  attestations: write
+  artifact-metadata: write
+  id-token: write
 on:
   push:
     paths:
diff --git a/.github/workflows/bootstrap.yml b/.github/workflows/bootstrap.yml
index 9e87020d16..7960da6fba 100644
--- a/.github/workflows/bootstrap.yml
+++ b/.github/workflows/bootstrap.yml
@@ -1,6 +1,9 @@
 name: Bootstrap Andaman and Subatomic
 permissions:
   contents: read
+  attestations: write
+  artifact-metadata: write
+  id-token: write
 on:
   workflow_dispatch:
 
@@ -85,3 +88,10 @@ jobs:
             -H "Authorization: Bearer ${{ secrets.MADOGUCHI_JWT }}" \
             -H "Content-Type: application/json" \
             -d '{"link":"https://repos.fyralabs.com/terra'${{ matrix.version }}'/","gh":"https://github.com/terrapkg/packages/tree/f'${{ matrix.version }}'"}' --fail-with-body
+
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
+        with:
+          subject-path: |
+            anda-build/rpm/rpms/*
+            anda-build/rpm/srpm/*
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 9c9cc09a85..1e232af45f 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,6 +1,9 @@
 name: Manual Builds
 permissions:
   contents: read
+  attestations: write
+  artifact-metadata: write
+  id-token: write
 on:
   workflow_dispatch:
     inputs:
diff --git a/.github/workflows/json-build.yml b/.github/workflows/json-build.yml
index 593ecf61a9..3e84bf3315 100644
--- a/.github/workflows/json-build.yml
+++ b/.github/workflows/json-build.yml
@@ -1,6 +1,9 @@
 name: JSON Build
 permissions:
   contents: read
+  attestations: write
+  artifact-metadata: write
+  id-token: write
 on:
   workflow_call:
     inputs:
@@ -125,6 +128,14 @@ jobs:
             --token ${{ secrets.SUBATOMIC_TOKEN }} \
             terra${{ matrix.version }}${{ matrix.pkg.labels['subrepo'] && '-$subrepo' || '' }}-source anda-build/rpm/srpm/*
 
+      - name: Attest build provenance
+        if: inputs.publish
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
+        with:
+          subject-path: |
+            anda-build/rpm/rpms/*
+            anda-build/rpm/srpm/*
+
       - name: Notify Madoguchi (Success)
         if: inputs.publish && success()
         run: ./.github/workflows/mg.sh true "${{matrix.pkg.pkg}}" "${{matrix.version}}" "${{matrix.pkg.arch}}" "${{github.run_id}}" "${{secrets.MADOGUCHI_JWT}}" "$GITHUB_SHA"