Merge pull request #169

DennisDyallo · web-flow · commit a7d9bbc38c9e · 2024-12-17T21:25:45.000+01:00
ci: added github attestation to build assets
diff --git a/.github/workflows/build-nativeshims.yml b/.github/workflows/build-nativeshims.yml
@@ -110,6 +110,11 @@ jobs:
 
   pack:
     name: Package artifacts
+    permissions:
+      id-token: write
+      contents: read
+      packages: read
+      attestations: write
     runs-on: windows-2019
     needs: [build-windows, build-linux-amd64, build-linux-arm64, build-macos]
     steps:
@@ -130,6 +135,15 @@ jobs:
         with:
           name: Yubico.NativeShims.nupkg
           path: Yubico.NativeShims.*.nupkg
+      
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: |
+            Yubico.NativeShims/**/*.dll
+            Yubico.NativeShims/**/*.so
+            Yubico.NativeShims/**/*.dylib
+            Yubico.NativeShims.*.nupkg
 
   publish-internal:
     name: Publish to internal NuGet
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -62,8 +62,10 @@ jobs:
     runs-on: windows-2019
     needs: run-tests
     permissions:
+      id-token: write
       contents: read
       packages: read
+      attestations: write
     steps:
       # Checkout the local repository
       - uses: actions/checkout@v4
@@ -122,6 +124,20 @@ jobs:
             Yubico.Core/src/bin/ReleaseWithDocs/**/*.dll
             Yubico.YubiKey/src/bin/ReleaseWithDocs/**/*.dll
 
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: |
+            Yubico.DotNetPolyfills/src/bin/ReleaseWithDocs/*.nupkg
+            Yubico.Core/src/bin/ReleaseWithDocs/*.nupkg
+            Yubico.YubiKey/src/bin/ReleaseWithDocs/*.nupkg
+            Yubico.DotNetPolyfills/src/bin/ReleaseWithDocs/*.snupkg
+            Yubico.Core/src/bin/ReleaseWithDocs/*.snupkg
+            Yubico.YubiKey/src/bin/ReleaseWithDocs/*.snupkg
+            Yubico.DotNetPolyfills/src/bin/ReleaseWithDocs/**/*.dll
+            Yubico.Core/src/bin/ReleaseWithDocs/**/*.dll
+            Yubico.YubiKey/src/bin/ReleaseWithDocs/**/*.dll
+
       # Package the OATH sample code source
       - name: Save build artifacts
         uses: actions/upload-artifact@v4
