Merge pull request #253 from github/attest-build-provenance

GrantBirki · web-flow · commit 7372380934ea · 2025-02-24T13:14:03.000-08:00
Attest Build Provenance
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -11,6 +11,8 @@ on:
 permissions:
   contents: write
   packages: write
+  id-token: write
+  attestations: write
 
 jobs:
   release:
@@ -37,13 +39,17 @@ jobs:
       - name: build
         run: echo "GEM_VERSION=$(gem build ${{ env.GEM_NAME }}.gemspec 2>&1 | grep Version | cut -d':' -f 2 | tr -d " \t\n\r")" >> $GITHUB_ENV
 
+      - uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # pin@v2
+        with:
+          subject-path: "${{ env.GEM_NAME }}-${{ env.GEM_VERSION }}.gem"
+
       - name: publish to GitHub packages
         run: |
           export OWNER=$( echo ${{ github.repository }} | cut -d "/" -f 1 )
           GEM_HOST_API_KEY=${{ secrets.GITHUB_TOKEN }} gem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} ${{ env.GEM_NAME }}-${{ env.GEM_VERSION }}.gem
 
       - name: release
-        uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # pin@v1.14.0
+        uses: ncipollo/release-action@cdcc88a9acf3ca41c16c37bb7d21b9ad48560d87 # pin@v1.15.0
         with:
           artifacts: "${{ env.GEM_NAME }}-${{ env.GEM_VERSION }}.gem"
           tag: "v${{ env.GEM_VERSION }}"
