6.0.24 #48
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release Attestation | |
| on: | |
| release: | |
| types: [published] | |
| workflow_dispatch: | |
| inputs: | |
| release_tag: | |
| description: "Release tag to attest" | |
| required: true | |
| type: string | |
| jobs: | |
| attest-release-assets: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # Necessary to push the attestation to the release | |
| contents: write | |
| # Necessary to persist attestations | |
| attestations: write | |
| id-token: write | |
| steps: | |
| - name: Download release assets | |
| id: download | |
| run: | | |
| set -ex | |
| # Get the release tag from input or event | |
| if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then | |
| RELEASE_TAG="${{ github.event.inputs.release_tag }}" | |
| else | |
| RELEASE_TAG="${{ github.event.release.tag_name }}" | |
| fi | |
| echo "release_tag=$RELEASE_TAG" >> $GITHUB_OUTPUT | |
| gh release download -R microsoft/ccf $RELEASE_TAG -D release-assets | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Attest release assets | |
| id: attest | |
| uses: actions/attest-build-provenance@v3 | |
| with: | |
| subject-path: "release-assets/*" | |
| - run: | | |
| set -ex | |
| # Rename to match https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases | |
| cp ${{ steps.attest.outputs.bundle-path }} release-assets/attestation.sigstore.json | |
| gh release upload --repo microsoft/ccf ${{ steps.download.outputs.release_tag }} release-assets/attestation.sigstore.json --clobber | |
| shell: bash | |
| env: | |
| GH_TOKEN: ${{ github.token }} |