ci: Attest release artifacts (#4816)

validcube · oSumAtrIX · web-flow · commit fe864d8331a1 · 2025-05-22T14:56:33.000+02:00
Co-authored-by: oSumAtrIX &lt;johan.melkonyan1@web.de&gt;
diff --git a/.github/workflows/build_pull_request.yml b/.github/workflows/build_pull_request.yml
@@ -19,11 +19,11 @@ jobs:
       - name: Setup Java
         uses: actions/setup-java@v4
         with:
-          distribution: "temurin"
-          java-version: "17"
+          distribution: 'temurin'
+          java-version: '17'
 
       - name: Cache Gradle
-        uses: burrunan/gradle-cache-action@v1
+        uses: burrunan/gradle-cache-action@v3
 
       - name: Build
         env:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -13,24 +13,23 @@ jobs:
     permissions:
       contents: write
       packages: write
+      id-token: write
+      attestations: write
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
-          # Make sure the release step uses its own credentials:
-          # https://github.com/cycjimmy/semantic-release-action#private-packages
-          persist-credentials: false
           fetch-depth: 0
 
       - name: Setup Java
         uses: actions/setup-java@v4
         with:
-          distribution: "temurin"
-          java-version: "17"
+          distribution: 'temurin'
+          java-version: '17'
 
       - name: Cache Gradle
-        uses: burrunan/gradle-cache-action@v1
+        uses: burrunan/gradle-cache-action@v3
 
       - name: Build
         env:
@@ -40,7 +39,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: "lts/*"
+          node-version: 'lts/*'
           cache: 'npm'
 
       - name: Install dependencies
@@ -54,6 +53,14 @@ jobs:
           fingerprint: ${{ vars.GPG_FINGERPRINT }}
 
       - name: Release
+        uses: cycjimmy/semantic-release-action@v4
+        id: release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: npm exec semantic-release
+
+      - name: Attest
+        if: steps.release.outputs.new_release_published == 'true'
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: 'ReVanced Patches ${{ steps.release.outputs.new_release_git_tag }}'
+          subject-path: patches/build/libs/patches-*.rvp
diff --git a/.releaserc b/.releaserc
@@ -22,7 +22,7 @@
       {
         "assets": [
           "CHANGELOG.md",
-          "gradle.properties",
+          "gradle.properties"
         ],
         "message": "chore: Release v${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
       }
@@ -33,16 +33,16 @@
         "assets": [
           {
             "path": "patches/build/libs/patches-!(*sources*|*javadoc*).rvp?(.asc)"
-          },
+          }
         ],
-        successComment: false
+        "successComment": false
       }
     ],
     [
       "@saithodev/semantic-release-backmerge",
       {
-        backmergeBranches: [{"from": "main", "to": "dev"}],
-        clearWorkspace: true
+        "backmergeBranches": [{"from": "main", "to": "dev"}],
+        "clearWorkspace": true
       }
     ]
   ]

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@`
`22`	`22`	`{`
`23`	`23`	`"assets": [`
`24`	`24`	`"CHANGELOG.md",`
`25`		`- "gradle.properties",`
	`25`	`+ "gradle.properties"`
`26`	`26`	`],`
`27`	`27`	`"message": "chore: Release v${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"`
`28`	`28`	`}`
`@@ -33,16 +33,16 @@`
`33`	`33`	`"assets": [`
`34`	`34`	`{`
`35`	`35`	`"path": "patches/build/libs/patches-!(sources\|javadoc).rvp?(.asc)"`
`36`		`- },`
	`36`	`+ }`
`37`	`37`	`],`
`38`		`- successComment: false`
	`38`	`+ "successComment": false`
`39`	`39`	`}`
`40`	`40`	`],`
`41`	`41`	`[`
`42`	`42`	`"@saithodev/semantic-release-backmerge",`
`43`	`43`	`{`
`44`		`- backmergeBranches: [{"from": "main", "to": "dev"}],`
`45`		`- clearWorkspace: true`
	`44`	`+ "backmergeBranches": [{"from": "main", "to": "dev"}],`
	`45`	`+ "clearWorkspace": true`
`46`	`46`	`}`
`47`	`47`	`]`
`48`	`48`	`]`