From 089972db87c357cad36ac3138c1a1b3de5b68610 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@tideways-gmbh.com>
Date: Thu, 2 Jan 2025 15:43:33 +0100
Subject: [PATCH] Generate build provenance attestation during release

This will simplify secure installation of composer in GitHub Actions to two
calls to `gh` cli with no need to manually import any PGP signing keys:

    gh release --repo composer/composer download --pattern composer.phar
    gh attestation verify --repo composer/composer composer.phar

Given that the current PGP signing key is stored as a GitHub Action secret,
this type of attestation is no less secure than the existing PGP signing.
---
 .github/workflows/release.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 82a35f05d..79ef72e69 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -15,6 +15,8 @@ jobs:
   build:
     permissions:
       contents: write # for actions/create-release to create a release
+      id-token: write # for actions/attest-build-provenance to create a attestation certificate
+      attestations: write # for actions/attest-build-provenance to upload the attestation
     name: Upload Release Asset
     runs-on: ubuntu-latest
     steps:
@@ -41,6 +43,11 @@ jobs:
       - name: Build phar file
         run: "php -d phar.readonly=0 bin/compile"
 
+      - name: Generate build provenance attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: '${{ github.workspace }}/composer.phar'
+
       - name: Create release
         id: create_release
         uses: actions/create-release@v1