Generate build provenance attestation during release

This will simplify secure installation of composer in GitHub Actions to two calls to `gh` cli with no need to manually import any PGP signing keys: gh release --repo composer/composer download --pattern composer.phar gh attestation verify --repo composer/composer composer.phar Given that the current PGP signing key is stored as a GitHub Action secret, this type of attestation is no less secure than the existing PGP signing.
2025-01-02 15:43:33 +01:00 · 2025-01-02 15:43:33 +01:00 · 089972db87
parent b89036c1f8
commit 089972db87
1 changed files with 7 additions and 0 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -15,6 +15,8 @@ jobs:
  build:
    permissions:
      contents: write # for actions/create-release to create a release
+      id-token: write # for actions/attest-build-provenance to create a attestation certificate
+      attestations: write # for actions/attest-build-provenance to upload the attestation
    name: Upload Release Asset
    runs-on: ubuntu-latest
    steps:
@ -41,6 +43,11 @@ jobs:
      - name: Build phar file
        run: "php -d phar.readonly=0 bin/compile"

+      - name: Generate build provenance attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: '${{ github.workspace }}/composer.phar'
+
      - name: Create release
        id: create_release
        uses: actions/create-release@v1