From f8e2ff5b7574de02e53e6531fde4478ddcea016e Mon Sep 17 00:00:00 2001
From: Russell Martin <russell@rjm.li>
Date: Sun, 26 May 2024 12:06:10 -0400
Subject: [PATCH] Add support to attest Python package via GitHub (#453)

---
 .github/workflows/ci.yml      | 11 +++++++++++
 .github/workflows/release.yml |  2 ++
 2 files changed, 13 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1c34a1869..ad9424665 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -9,6 +9,11 @@ on:
   pull_request:
   workflow_dispatch:
   workflow_call:
+    inputs:
+      attest:
+        description: "Attest the created package using GitHub attestations."
+        default: "false"
+        type: string
 
 # cancels running CI if new commit is pushed to branch
 concurrency:
@@ -67,6 +72,10 @@ jobs:
     #######
     name: Build & Verify Package
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4.1.4
@@ -75,6 +84,8 @@ jobs:
 
       - name: Build & Upload Package
         uses: hynek/build-and-inspect-python-package@v2.5.0
+        with:
+          attest-build-provenance-github: ${{ inputs.attest }}
 
   Tests-qBittorrent:
     name: Release Test ${{ needs.verify.outputs.python-latest-version }} - ${{ matrix.QBT_VER }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 074181fc1..44d9ac835 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,6 +10,8 @@ jobs:
     name: CI
     uses: ./.github/workflows/ci.yml
     secrets: inherit
+    with:
+      attest: "true"
 
   release:
     name: Create Release