From b8b30ba562ceffd3e9c4401e13c5564657256084 Mon Sep 17 00:00:00 2001
From: Javier Rodriguez <javier@chainloop.dev>
Date: Thu, 10 Apr 2025 13:26:52 +0200
Subject: [PATCH] feat(ci): Include source code to chainloop attestation

Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
---
 .github/workflows/release.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index cf01b9b44..e84baf2a9 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -176,6 +176,13 @@ jobs:
         run: |
           chainloop attestation --name slsa-attestation add --value ${{ steps.slsa-attest.outputs.bundle-path }} --kind SLSA_PROVENANCE --attestation-id ${{ env.ATTESTATION_ID }}
 
+      - name: Include source code on attestation
+        run: |
+            # This needs to run AFTER goreleaser to make sure the source code is available
+
+            gh release download ${{ github.ref_name }} -A tar.gz -O source-code.tar.gz
+            chainloop attestation add --name source-code --value source-code.tar.gz --kind ARTIFACT --attestation-id ${{ env.ATTESTATION_ID }}
+
       - name: Bump Chart and Dagger Version
         run: .github/workflows/utils/bump-chart-and-dagger-version.sh deployment/chainloop extras/dagger ${{ github.ref_name }}
       - name: Bump Project Version