1212 pull_request :
1313 branches :
1414 - ' master'
15+ permissions :
16+ contents : read
1517jobs :
1618 release :
1719 runs-on : macos-12
20+ # The maximum access is "read" for PRs from public forked repos
21+ # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
22+ permissions :
23+ contents : write # for releases
24+ id-token : write # for provenances
25+ attestations : write # for provenances
1826 timeout-minutes : 20
1927 steps :
2028 - uses : actions/checkout@v4
@@ -41,14 +49,27 @@ jobs:
4149name : " Prepare the release note"
4250 run : |
4351 shasha=$(shasum -a 256 _artifacts/SHA256SUMS | awk '{print $1}')
52+ version="VERSION"
53+ [[ $GITHUB_REF == refs/tags/v* ]] && version="${GITHUB_REF#refs/tags/v}"
4454 cat <<-EOF | tee /tmp/release-note.txt
4555 (Changes to be documented)
4656 - - -
4757 The binaries were built automatically on GitHub Actions.
4858 The build log is available for 90 days: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
4959
5060 The sha256sum of the SHA256SUMS file itself is \`${shasha}\` .
61+
62+ The [GitHub Artifact Attestations](https://cli.github.com/manual/gh_attestation_verify)
63+ can be verified by running:
64+ \`\`\`
65+ gh attestation verify socket_vmnet-${version}-arm64.tar.gz --owner lima-vm
66+ gh attestation verify socket_vmnet-${version}-x86_64.tar.gz --owner lima-vm
67+ \`\`\`
5168 EOF
69+ uses : actions/attest-build-provenance@v1
70+ if : github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
71+ with :
72+ subject-path : _artifacts/*
5273 - name : " Create release"
5374 if : github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
5475 env :
0 commit comments