Merge pull request #128 from TimWolla/release-action-build-provenance

Add build provenance attestation to the release workflow
php · Nov 25, 2024 · 33f911a · 33f911a
2 parents 17ca9d5 + ec456ff
commit 33f911a
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -20,6 +20,10 @@ jobs:
     permissions:
       # contents:write is required to upload the binaries to the release.
       contents: write
+      # id-token:write is required for build provenance attestation.
+      id-token: write
+      # attestations:write is required for build provenance attestation.
+      attestations: write
     steps:
       - name: Setup PHP
         uses: shivammathur/setup-php@v2
@@ -49,6 +53,10 @@ jobs:
               --detach-sign \
               --output pie.phar.asc \
               pie.phar
+      - name: Generate build provenance attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: '${{ github.workspace }}/pie.phar'
       - name: Upload binaries to release
         uses: softprops/action-gh-release@v2
         if: ${{startsWith(github.ref, 'refs/tags/') }}