Setup release artifact attesting with actions/attest-build-provenance

Update the "Publish / GitHub Release" job to attest to release artifacts using `actions/attest-build-provenance`. Under the hood, this uses Cosign (<https://docs.sigstore.dev/signing/quickstart/>). In particular, this uses keyless signing based on the OIDC token available in the job. That way, the published release artifacts are linked to the workflow that created it. The version of Cosign used is not configurable with the tooling used (`actions/attest-build-provenance`), which is a bit unfortunate given that we have Cosign pinned in the "Publish / Docker Hub" job. Signed-off-by: Eric Cornelissen <ericornelissen@gmail.com>
ericcornelissen · Jun 2, 2024 · 5ddc7de · 5ddc7de
1 parent 0bcda9c
commit 5ddc7de
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -58,7 +58,9 @@ jobs:
     name: GitHub Release
     runs-on: ubuntu-22.04
     permissions:
+      attestations: write # To create GitHub Attestations
       contents: write # To create a GitHub Release
+      id-token: write # To perform keyless signing with cosign for attestations
     steps:
     - name: Checkout repository
       uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
@@ -80,3 +82,7 @@ jobs:
         name: Release ${{ steps.version.outputs.version }}
         body: ${{ steps.version.outputs.version }}
         artifacts: ./_compiled/*
+    - name: Attest build provenance
+      uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
+      with:
+        subject-path: ./_compiled/*