fix(release): allow contents write permission, run attestation after release created (#9550)

grandizzy · web-flow · commit 2f698e4c9747 · 2024-12-13T06:15:05.000Z
fix(release): allow contents write permission, run attestation after release published
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -69,7 +69,7 @@ jobs:
   release:
     permissions:
       id-token: write
-      contents: read
+      contents: write
       attestations: write
     name: ${{ matrix.target }} (${{ matrix.runner }})
     runs-on: ${{ matrix.runner }}
@@ -163,15 +163,6 @@ jobs:
             echo "${name}_bin_path=${bin}" >> $GITHUB_ENV
           done
 
-      - name: Binaries attestation
-        uses: actions/attest-build-provenance@v2
-        with:
-          subject-path: |
-            ${{ env.anvil_bin_path }}
-            ${{ env.cast_bin_path }}
-            ${{ env.chisel_bin_path }}
-            ${{ env.forge_bin_path }}
-
       - name: Archive binaries
         id: artifacts
         env:
@@ -228,6 +219,15 @@ jobs:
             ${{ steps.artifacts.outputs.file_name }}
             ${{ steps.man.outputs.foundry_man }}
 
+      - name: Binaries attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: |
+            ${{ env.anvil_bin_path }}
+            ${{ env.cast_bin_path }}
+            ${{ env.chisel_bin_path }}
+            ${{ env.forge_bin_path }}
+
       # If this is a nightly release, it also updates the release
       # tagged `nightly` for compatibility with `foundryup`
       - name: Update nightly release
