Merge pull request #12258 from TimWolla/release-attest-build-provenance

Generate build provenance attestation during release
2025-01-10 16:29:15 +01:00 · 2025-01-10 16:29:15 +01:00 · efe91c76e8
parent a2fcc1a4db 089972db87
commit efe91c76e8
1 changed files with 7 additions and 0 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -15,6 +15,8 @@ jobs:
  build:
    permissions:
      contents: write # for actions/create-release to create a release
+      id-token: write # for actions/attest-build-provenance to create a attestation certificate
+      attestations: write # for actions/attest-build-provenance to upload the attestation
    name: Upload Release Asset
    runs-on: ubuntu-latest
    steps:
@ -41,6 +43,11 @@ jobs:
      - name: Build phar file
        run: "php -d phar.readonly=0 bin/compile"

+      - name: Generate build provenance attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: '${{ github.workspace }}/composer.phar'
+
      - name: Create release
        id: create_release
        uses: actions/create-release@v1