workflows: Use artifact-attestations for binaries

userdocs · userdocs · commit 9dc316bce743 · 2024-10-02T14:33:52.000+01:00
diff --git a/.github/workflows/matrix_multi_build_and_release.yml b/.github/workflows/matrix_multi_build_and_release.yml
@@ -18,6 +18,11 @@ on:
         type: choice
         options: ["1", "2", "3", "4", "5", "6", "7", "8", "9"]
 
+permissions:
+  id-token: write
+  contents: read
+  attestations: write
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -147,6 +152,12 @@ jobs:
         if: env.disable_qt5 != 'yes' # When qBittorrent v5 is released, remove this
         run: docker exec -w /root/${{ env.qbt_build_dir }}/completed multiarch mv -f qbittorrent-nox ${{ matrix.qbt_cross_name }}-${{ matrix.qbt_qt_version_name }}qbittorrent-nox
 
+      - name: Generate artifact attestation  ${{ github.event.inputs.distinct_id }}
+        if: env.disable_qt5 != 'yes' # When qBittorrent v5 is released, remove this
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: "${{ env.qbt_build_dir }}/completed/${{ matrix.qbt_cross_name }}-${{ matrix.qbt_qt_version_name }}qbittorrent-nox"
+
       - name: Docker - Release Info ${{ github.event.inputs.distinct_id }}
         if: env.disable_qt5 != 'yes' # When qBittorrent v5 is released, remove this
         run: docker exec -w /root/${{ env.qbt_build_dir }}/release_info multiarch bash -c 'mv *.md *.json '/root/${{ env.qbt_build_dir }}/completed''
diff --git a/.github/workflows/matrix_multi_build_and_release_artifacts.yml b/.github/workflows/matrix_multi_build_and_release_artifacts.yml
@@ -18,6 +18,11 @@ on:
         type: choice
         options: ["1", "2", "3", "4", "5", "6", "7", "8", "9"]
 
+permissions:
+  id-token: write
+  contents: read
+  attestations: write
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -211,6 +216,12 @@ jobs:
         if: env.disable_qt5 != 'yes' # When qBittorrent v5 is released, remove this
         run: docker exec -w /root/${{ env.qbt_build_dir }}/completed multiarch mv -f qbittorrent-nox ${{ matrix.qbt_cross_name }}-${{ matrix.qbt_qt_version_name }}qbittorrent-nox
 
+      - name: Generate artifact attestation  ${{ github.event.inputs.distinct_id }}
+        if: env.disable_qt5 != 'yes' # When qBittorrent v5 is released, remove this
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: "${{ env.qbt_build_dir }}/completed/${{ matrix.qbt_cross_name }}-${{ matrix.qbt_qt_version_name }}qbittorrent-nox"
+
       - name: Docker - Release Info ${{ github.event.inputs.distinct_id }}
         if: env.disable_qt5 != 'yes' # When qBittorrent v5 is released, remove this
         run: docker exec -w /root/${{ env.qbt_build_dir }}/release_info multiarch bash -c 'mv *.md *.json '/root/${{ env.qbt_build_dir }}/completed''
diff --git a/.github/workflows/matrix_multi_build_and_release_customs_tags.yml b/.github/workflows/matrix_multi_build_and_release_customs_tags.yml
@@ -18,6 +18,11 @@ on:
         type: choice
         options: ["1", "2", "3", "4", "5", "6", "7", "8", "9"]
 
+permissions:
+  id-token: write
+  contents: read
+  attestations: write
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -155,6 +160,12 @@ jobs:
         if: env.disable_qt5 != 'yes' # When qBittorrent v5 is released, remove this
         run: docker exec -w /root/${{ env.qbt_build_dir }}/completed multiarch mv -f qbittorrent-nox ${{ matrix.qbt_cross_name }}-${{ matrix.qbt_qt_version_name }}qbittorrent-nox
 
+      - name: Generate artifact attestation  ${{ github.event.inputs.distinct_id }}
+        if: env.disable_qt5 != 'yes' # When qBittorrent v5 is released, remove this
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: "${{ env.qbt_build_dir }}/completed/${{ matrix.qbt_cross_name }}-${{ matrix.qbt_qt_version_name }}qbittorrent-nox"
+
       - name: Docker - Release Info
         if: env.disable_qt5 != 'yes' # When qBittorrent v5 is released, remove this
         run: docker exec -w /root/${{ env.qbt_build_dir }}/release_info multiarch bash -c 'mv *.md *.json '/root/${{ env.qbt_build_dir }}/completed''
diff --git a/.github/workflows/matrix_multi_build_and_release_qbt_workflow_files_debug.yml b/.github/workflows/matrix_multi_build_and_release_qbt_workflow_files_debug.yml
@@ -18,6 +18,11 @@ on:
         type: choice
         options: ["1", "2", "3", "4", "5", "6", "7", "8", "9"]
 
+permissions:
+  id-token: write
+  contents: read
+  attestations: write
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -147,6 +152,12 @@ jobs:
         if: env.disable_qt5 != 'yes' # When qBittorrent v5 is released, remove this
         run: docker exec -w /root/${{ env.qbt_build_dir }}/completed multiarch mv -f qbittorrent-nox ${{ matrix.qbt_cross_name }}-${{ matrix.qbt_qt_version_name }}qbittorrent-nox
 
+      - name: Generate artifact attestation  ${{ github.event.inputs.distinct_id }}
+        if: env.disable_qt5 != 'yes' # When qBittorrent v5 is released, remove this
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: "${{ env.qbt_build_dir }}/completed/${{ matrix.qbt_cross_name }}-${{ matrix.qbt_qt_version_name }}qbittorrent-nox"
+
       - name: Docker - Release Info ${{ github.event.inputs.distinct_id }}
         if: env.disable_qt5 != 'yes' # When qBittorrent v5 is released, remove this
         run: docker exec -w /root/${{ env.qbt_build_dir }}/release_info multiarch bash -c 'mv *.md *.json '/root/${{ env.qbt_build_dir }}/completed''
