Skip to content

Add native build artifact attestations #175

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
zackees merged 1 commit into from
Apr 22, 2026
Merged

Add native build artifact attestations #175

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions .github/workflows/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,27 @@ CI/CD workflows for the fbuild project, covering lint, test, documentation, and
- **`template_build.yml`** -- Reusable workflow for per-board firmware builds
- **`template_native_build.yml`** -- Reusable workflow for native Rust binary builds

### Native Build Attestations

Manual `build.yml` native artifacts include `SHA256SUMS.txt` and GitHub Artifact
Attestations for every staged native file:

- `fbuild` / `fbuild.exe`
- `fbuild-daemon` / `fbuild-daemon.exe`
- `_native.abi3.so` / `_native.pyd`

After downloading and extracting a `binaries-${target}` workflow artifact:

```bash
sha256sum -c SHA256SUMS.txt
gh attestation verify fbuild --repo FastLED/fbuild
gh attestation verify fbuild-daemon --repo FastLED/fbuild
gh attestation verify _native.abi3.so --repo FastLED/fbuild
```

For Windows artifacts, verify `fbuild.exe`, `fbuild-daemon.exe`, and
`_native.pyd` instead.

### Autonomous Releases

`release-auto.yml` follows the attested release pattern used by `soldr`:
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,11 @@ on:
required: false
default: "main"

permissions:
contents: read
attestations: write
id-token: write

jobs:
build:
strategy:
Expand Down
18 changes: 18 additions & 0 deletions .github/workflows/template_native_build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,11 @@ env:
CARGO_TERM_COLOR: always
RUSTFLAGS: "-D warnings"

permissions:
contents: read
attestations: write
id-token: write

jobs:
build:
name: Build (${{ inputs.target }})
Expand Down Expand Up @@ -188,6 +193,19 @@ jobs:
strip staging/_native.pyd 2>/dev/null || true
fi

- name: Generate checksums
shell: bash
run: |
set -euo pipefail
cd staging
sha256sum * > SHA256SUMS.txt
cat SHA256SUMS.txt

- name: Attest native artifacts
uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
with:
subject-checksums: staging/SHA256SUMS.txt

- name: Upload artifacts
uses: actions/upload-artifact@v7
with:
Expand Down
Loading