Generate artifact attestation

ntkme · ntkme · commit ed5f1c7215a8 · 2025-02-14T11:18:59.000-08:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -62,6 +62,10 @@ jobs:
 
     runs-on: ubuntu-latest
 
+    permissions:
+      id-token: write
+      attestations: write
+
     container:
       image: docker.io/library/debian
 
@@ -119,6 +123,11 @@ jobs:
         run: |
           tar -czf dartsdk-android-${{ matrix.target-arch }}-release.tar.gz -C dart-sdk/sdk/out/Release* -- dart-sdk
 
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: dartsdk-android-${{ matrix.target-arch }}-release.tar.gz
+
       - name: Upload Artifact
         uses: actions/upload-artifact@v4
         with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,6 +7,9 @@ on:
 
 jobs:
   build:
+    permissions:
+      id-token: write
+      attestations: write
     uses: ./.github/workflows/build.yml
     with:
       ref: ${{ github.ref_name }}
diff --git a/.github/workflows/schedule.yml b/.github/workflows/schedule.yml
@@ -58,6 +58,9 @@ jobs:
   stable:
     needs: [latest]
     if: needs.latest.outputs.stable-cache-hit != 'true'
+    permissions:
+      id-token: write
+      attestations: write
     uses: ./.github/workflows/build.yml
     with:
       ref: ${{ needs.latest.outputs.stable-version }}
@@ -66,6 +69,9 @@ jobs:
   beta:
     needs: [latest]
     if: needs.latest.outputs.beta-cache-hit != 'true' && needs.latest.outputs.beta-version != needs.latest.outputs.stable-version
+    permissions:
+      id-token: write
+      attestations: write
     uses: ./.github/workflows/build.yml
     with:
       ref: ${{ needs.latest.outputs.beta-version }}
@@ -74,13 +80,19 @@ jobs:
   dev:
     needs: [latest]
     if: needs.latest.outputs.dev-cache-hit != 'true' && needs.latest.outputs.dev-version != needs.latest.outputs.beta-version && needs.latest.outputs.dev-version != needs.latest.outputs.stable-version
+    permissions:
+      id-token: write
+      attestations: write
     uses: ./.github/workflows/build.yml
     with:
       ref: ${{ needs.latest.outputs.dev-version }}
     secrets: inherit
 
   edge:
     needs: [latest]
+    permissions:
+      id-token: write
+      attestations: write
     uses: ./.github/workflows/build.yml
     with:
       ref: ${{ needs.latest.outputs.edge-version }}
