Merge pull request #111 from ChristianGalla/attestation-improvement

ChristianGalla · web-flow · commit 3cce24784d99 · 2025-01-03T12:16:30.000+01:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -139,20 +139,33 @@ jobs:
       id: setup-attestation
       uses: actions/attest-build-provenance@v2
       with:
-        subject-path: build\publish\*.msi
+        subject-path: |
+          build/publish/*.msi
+          build/publish/**/AutoStartConfirmLib.dll
+          build/publish/**/AutoStartConfirmLib.pdb
+          build/publish/**/AutoStartConfirm.dll
+          build/publish/**/AutoStartConfirm.exe
+          build/publish/**/AutoStartConfirm.pdb
+          build/publish/**/AutoStartConfirm.deps.json
         
     - name: Generate framework dependent SBOM attestation
       if: ${{ inputs.attestation }}
       id: sbom-framework-dependent-attestation
       uses: actions/attest-sbom@v1
       with:
-        subject-path: build\publish\AutoStartConfirmSetup_FrameworkDependent.msi
+        subject-path: |
+          build/publish/Release_FrameworkDependent_win-x64/AutoStartConfirm.dll
+          build/publish/Release_FrameworkDependent_win-x64/AutoStartConfirm.exe
+          build/publish/AutoStartConfirmSetup_FrameworkDependent.msi
         sbom-path: FrameworkDependent.sbom.spdx.json
         
     - name: Generate standalone SBOM attestation
       if: ${{ inputs.attestation }}
       id: sbom-standalone-attestation
       uses: actions/attest-sbom@v1
       with:
-        subject-path: build\publish\AutoStartConfirmSetup_Standalone.msi
+        subject-path: |
+          build/publish/Release_Standalone_win-x64/AutoStartConfirm.dll
+          build/publish/Release_Standalone_win-x64/AutoStartConfirm.exe
+          build/publish/AutoStartConfirmSetup_Standalone.msi
         sbom-path: Standalone.sbom.spdx.json
diff --git a/README.md b/README.md
@@ -18,6 +18,7 @@ Therefore, this program monitors whether a program wants to start automatically
 * [Changelog](#changelog)
 * [Installation](#installation)
   * [Windows Package Manager (Winget)](#windows-package-manager-winget)
+* [Artifact attestation](#artifact-attestation)
 * [Usage documentation](#usage-documentation)
 * [Usage warning](#usage-warning)
 * [State of development](#state-of-development)
@@ -53,6 +54,22 @@ You can install it using the following command prompt or PowerShell command:
 winget install ChristianGalla.AutoStartConfirm
 ```
 
+## Artifact attestation
+
+For all releases after January 2025 this project uses [artifact attestation](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds).
+
+You can verify if your Auto Start Confirm installer, executable or dynamic link library file has been generated inside a release workflow of this repository by using the following command after installing the [GitHub CLI](https://github.com/cli/cli#installation):
+
+```powershell
+gh attestation verify --repo ChristianGalla/AutoStartConfirm AutoStartConfirmSetup_Standalone.msi
+```
+
+Also, you can verify the software bill of materials (SBOM):
+
+```powershell
+gh attestation verify --repo ChristianGalla/AutoStartConfirm --predicate-type https://spdx.dev/Document/v2.3 --format=json AutoStartConfirmSetup_Standalone.msi
+```
+
 ## Usage documentation
 
 The program starts in the background and can be accessed using its icon in the notification area
