ci: add build provenance

2024-05-03 12:14:12 +02:00 · 2024-05-03 12:14:12 +02:00 · f05c050f61
parent a609601e25
commit f05c050f61
1 changed files with 9 additions and 12 deletions
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -264,6 +264,9 @@ jobs:
    environment: ${{ (github.ref == 'refs/heads/citest' || startsWith(github.ref, 'refs/tags/')) && 'deploy-release' || 'deploy-snapshot' }}
    needs: check
    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      attestations: write
    env:
      # PyPI and MSFT keys are only available for the deploy-release environment
      # The AWS access key for snapshots is scoped to branches/* as well.
@ -302,20 +305,14 @@ jobs:
          path: docs/archive
      - uses: actions/download-artifact@v4
        with:
-          name: binaries.windows
+          pattern: binaries.*
+          merge-multiple: true
          path: release/dist
-      - uses: actions/download-artifact@v4
+      - id: provenance
+        uses: actions/attest-build-provenance@v1
        with:
-          name: binaries.linux
-          path: release/dist
-      - uses: actions/download-artifact@v4
-        with:
-          name: binaries.macos-x86_64
-          path: release/dist
-      - uses: actions/download-artifact@v4
-        with:
-          name: binaries.macos-arm64
-          path: release/dist
+          subject-path: 'release/dist/*'
+      - run: mv ${{ steps.provenance.outputs.bundle-path }} release/dist/mitmproxy-${{ github.ref_name }}.sigstore
      - run: ls docs/public
      - run: ls release/dist