ci: try to add attest-build-provenance

cawa-93 · Nov 16, 2024 · 164be01 · 164be01
1 parent ba605c1
commit 164be01
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 7 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -47,6 +47,10 @@ jobs:
   compile-and-test:
     needs:
       - prepare
+    permissions:
+      contents: write
+      id-token: write
+      attestations: write
     uses: ./.github/workflows/compile-and-test.yml
     with:
       renderer-template: ${{ inputs.renderer-template }}
@@ -57,8 +61,6 @@ jobs:
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'
     permissions:
       contents: write
-      id-token: write
-      attestations: write
     needs:
       - prepare
       - compile-and-test

diff --git a/.github/workflows/compile-and-test.yml b/.github/workflows/compile-and-test.yml
@@ -19,6 +19,11 @@ defaults:
   run:
     shell: 'bash'
 
+permissions:
+  contents: write
+  id-token: write
+  attestations: write
+
 env:
   NODE_NO_WARNINGS: 1
   PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
@@ -59,6 +64,10 @@ jobs:
 
       - run: npm run test --if-present
 
+      - uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: "dist/root*, dist/latest*.yml"
+
       - name: Upload compiled app
         uses: actions/upload-artifact@v4
         with:

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -12,8 +12,6 @@ on:
 
 permissions:
   contents: write
-  id-token: write
-  attestations: write
 
 defaults:
   run:
@@ -38,9 +36,7 @@ jobs:
           pattern: "*-${{inputs.distribution-channel}}"
           path: dist
           merge-multiple: true
-      - uses: actions/attest-build-provenance@v1
-        with:
-          subject-path: "dist/root*, dist/latest*.yml"
+
       - run: gh release create v${{inputs.app-version}} dist/root* dist/latest*.yml --repo ${{github.repository}}
         env:
           GH_TOKEN: ${{ github.token }}