From 70c00ecdf1074df44c514db61794146d381800d0 Mon Sep 17 00:00:00 2001
From: zackees <z@zackees.com>
Date: Tue, 21 Apr 2026 20:13:42 -0700
Subject: [PATCH] Add native build artifact attestations

---
 .github/workflows/README.md                 | 21 +++++++++++++++++++++
 .github/workflows/build.yml                 |  5 +++++
 .github/workflows/template_native_build.yml | 18 ++++++++++++++++++
 3 files changed, 44 insertions(+)

diff --git a/.github/workflows/README.md b/.github/workflows/README.md
index c46b8e67..c0249c9d 100644
--- a/.github/workflows/README.md
+++ b/.github/workflows/README.md
@@ -38,6 +38,27 @@ CI/CD workflows for the fbuild project, covering lint, test, documentation, and
 - **`template_build.yml`** -- Reusable workflow for per-board firmware builds
 - **`template_native_build.yml`** -- Reusable workflow for native Rust binary builds
 
+### Native Build Attestations
+
+Manual `build.yml` native artifacts include `SHA256SUMS.txt` and GitHub Artifact
+Attestations for every staged native file:
+
+- `fbuild` / `fbuild.exe`
+- `fbuild-daemon` / `fbuild-daemon.exe`
+- `_native.abi3.so` / `_native.pyd`
+
+After downloading and extracting a `binaries-${target}` workflow artifact:
+
+```bash
+sha256sum -c SHA256SUMS.txt
+gh attestation verify fbuild --repo FastLED/fbuild
+gh attestation verify fbuild-daemon --repo FastLED/fbuild
+gh attestation verify _native.abi3.so --repo FastLED/fbuild
+```
+
+For Windows artifacts, verify `fbuild.exe`, `fbuild-daemon.exe`, and
+`_native.pyd` instead.
+
 ### Autonomous Releases
 
 `release-auto.yml` follows the attested release pattern used by `soldr`:
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d3ade238..c1fd9446 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -8,6 +8,11 @@ on:
         required: false
         default: "main"
 
+permissions:
+  contents: read
+  attestations: write
+  id-token: write
+
 jobs:
   build:
     strategy:
diff --git a/.github/workflows/template_native_build.yml b/.github/workflows/template_native_build.yml
index 2065a0c0..33813b9f 100644
--- a/.github/workflows/template_native_build.yml
+++ b/.github/workflows/template_native_build.yml
@@ -36,6 +36,11 @@ env:
   CARGO_TERM_COLOR: always
   RUSTFLAGS: "-D warnings"
 
+permissions:
+  contents: read
+  attestations: write
+  id-token: write
+
 jobs:
   build:
     name: Build (${{ inputs.target }})
@@ -188,6 +193,19 @@ jobs:
             strip staging/_native.pyd 2>/dev/null || true
           fi
 
+      - name: Generate checksums
+        shell: bash
+        run: |
+          set -euo pipefail
+          cd staging
+          sha256sum * > SHA256SUMS.txt
+          cat SHA256SUMS.txt
+
+      - name: Attest native artifacts
+        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
+        with:
+          subject-checksums: staging/SHA256SUMS.txt
+
       - name: Upload artifacts
         uses: actions/upload-artifact@v7
         with: