From f9de4d12f0c9c04bb5accaa12821b2f95c78deed Mon Sep 17 00:00:00 2001 From: Raboneko <119771935+raboneko@users.noreply.github.com> Date: Sat, 4 Apr 2026 23:57:29 -0700 Subject: [PATCH] feat: add build attestation (#10978) (#11076) * feat: add build attestation * chore: Update to v4.1.0 * feat: Update to v4.1.0 --------- (cherry picked from commit 779d744af4dde2bfb0988cba4aec0009d4f75923) Signed-off-by: Kyle Gospodnetich Co-authored-by: Kyle Gospodnetich --- .github/workflows/autobuild.yml | 3 +++ .github/workflows/bootstrap.yml | 10 ++++++++++ .github/workflows/build.yml | 3 +++ .github/workflows/json-build.yml | 11 +++++++++++ 4 files changed, 27 insertions(+) diff --git a/.github/workflows/autobuild.yml b/.github/workflows/autobuild.yml index 10bf14a5ba..fb9683a372 100644 --- a/.github/workflows/autobuild.yml +++ b/.github/workflows/autobuild.yml @@ -3,6 +3,9 @@ name: Automatically build packages permissions: contents: read + attestations: write + artifact-metadata: write + id-token: write on: push: paths: diff --git a/.github/workflows/bootstrap.yml b/.github/workflows/bootstrap.yml index afb00ff491..c5e4e212fa 100644 --- a/.github/workflows/bootstrap.yml +++ b/.github/workflows/bootstrap.yml @@ -1,6 +1,9 @@ name: Bootstrap Andaman and Subatomic permissions: contents: read + attestations: write + artifact-metadata: write + id-token: write on: workflow_dispatch: @@ -79,3 +82,10 @@ jobs: --server https://subatomic.fyralabs.com \ --token ${{ secrets.SUBATOMIC_TOKEN }} \ terra${{ matrix.version }}-source anda-build/rpm/srpm/* + + - name: Attest build provenance + uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 + with: + subject-path: | + anda-build/rpm/rpms/* + anda-build/rpm/srpm/* diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 401bf66f33..4831269c68 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,6 +1,9 @@ name: Manual Builds permissions: contents: read + attestations: write + artifact-metadata: write + id-token: write on: workflow_dispatch: inputs: diff --git a/.github/workflows/json-build.yml b/.github/workflows/json-build.yml index 55491167d6..d58de6887e 100644 --- a/.github/workflows/json-build.yml +++ b/.github/workflows/json-build.yml @@ -1,6 +1,9 @@ name: JSON Build permissions: contents: read + attestations: write + artifact-metadata: write + id-token: write on: workflow_call: inputs: @@ -120,6 +123,14 @@ jobs: --token ${{ secrets.SUBATOMIC_TOKEN }} \ terra${{ matrix.version }}${{ matrix.pkg.labels['subrepo'] && '-$subrepo' || '' }}-source anda-build/rpm/srpm/* + - name: Attest build provenance + if: inputs.publish + uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 + with: + subject-path: | + anda-build/rpm/rpms/* + anda-build/rpm/srpm/* + - name: Notify Madoguchi (Success) if: inputs.publish && success() run: ./.github/workflows/mg.sh true "${{matrix.pkg.pkg}}" "${{matrix.version}}" "${{matrix.pkg.arch}}" "${{github.run_id}}" "${{secrets.MADOGUCHI_JWT}}" "$GITHUB_SHA"