Add build-provenance in publish-commit-bottles.yml

[josephsweeney]

Adds an extra step after pr-pull in publish-commit-bottles.yml to generate build provenance for bottles that get published.

This requires a small change in Homebrew/brew to retain the temporary directory and to expose the path to the following workflow steps. This PR must be merged first before this change will work.

• Have you followed the guidelines for contributing?
• Have you ensured that your commits follow the commit style guide?
• Have you checked that there aren't other open pull requests for the same formula update/change?
• Have you built your formula locally with HOMEBREW_NO_INSTALL_FROM_API=1 brew install --build-from-source <formula>, where <formula> is the name of the formula you're submitting?
• Is your test running fine brew test <formula>, where <formula> is the name of the formula you're submitting?
• Does your build pass brew audit --strict <formula> (after doing HOMEBREW_NO_INSTALL_FROM_API=1 brew install --build-from-source <formula>)? If this is a new formula, does it pass brew audit --new <formula>?

---

[josephsweeney]

I will wait to mark this as ready for review until the PR mentioned above is merged.

In the meantime, if @Bo98, @carlocab, @MikeMcQuaid, @woodruffw have any feedback about testing this or the above PR, please let me know!

[MikeMcQuaid]

Makes sense to me! Happy for this to be merged as-is and reverted if it causes issues.

[josephsweeney]

Makes sense to me! Happy for this to be merged as-is and reverted if it causes issues.

That works for me, we'll definitely have to keep an eye out after merging on the publish-commit-bottles action but if I missed anything, it should be obvious.

[carlocab]

Let's try this...

[carlocab]

Ok, I guess that worked? https://github.com/Homebrew/homebrew-core/actions/runs/7679301023/job/20930044698#step:9:1

I don't see this though: https://github.com/github-early-access/generate-build-provenance#where-does-the-attestation-go

I also get a 404 from https://github.com/Homebrew/homebrew-core/attestations/378699

[josephsweeney]

Thank you for merging @carlocab, it looks like it is working! I can see the attestation page you linked. I think that because the feature is still in early access, they haven't rolled it out to everyone yet.

[woodruffw]

Great work here @josephsweeney!

@carlocab: I'll see about getting you added to the private beta (along with the other org members) 🙂

[woodruffw]

@carlocab You should have access to those URLs now!

(I've also asked them to add @MikeMcQuaid and @Bo98 initially -- adding everyone from the Homebrew org is manual on their side, but anybody else who wants early access can be added!)

[p-linnane]

@carlocab You should have access to those URLs now!

(I've also asked them to add @MikeMcQuaid and @Bo98 initially -- adding everyone from the Homebrew org is manual on their side, but anybody else who wants early access can be added!)

Put me in coach!

[MikeMcQuaid]

(I've also asked them to add @MikeMcQuaid and @Bo98 initially -- adding everyone from the Homebrew org is manual on their side, but anybody else who wants early access can be added!)

@josephsweeney Me too, please!

[josephsweeney]

@MikeMcQuaid I believe you have been added. Can you see the attestations here?

[MikeMcQuaid]

@josephsweeney Yup, got them now thanks!