From f627c83a4c6348ad2ee14b22ef972cda63562439 Mon Sep 17 00:00:00 2001
From: Roman Podoliaka <roman.podoliaka@gmail.com>
Date: Sat, 23 Nov 2024 21:36:29 +0000
Subject: [PATCH] Try actions/attest-build-provenance for our builds

Per https://github.blog/news-insights/product-news/introducing-artifact-attestations-now-in-public-beta/,
this should allow users to verify attestations using GitHub CLI.
---
 .github/workflows/release.yml | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 4f6c7a6..9b85d96 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -38,6 +38,11 @@ jobs:
           GH_REPO: ${{ env.GITHUB_REPOSITORY }}
 
   build_assets:
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
+
     needs: create_release
 
     strategy:
@@ -66,7 +71,8 @@ jobs:
           command: build
           args: --release
 
-      - run: |
+      - id: build
+        run: |
           rustc --print cfg | grep = > rustc.vars
           source rustc.vars
 
@@ -80,7 +86,13 @@ jobs:
           fi
           gh release upload $RELEASE_TAG $ASSET_NAME
           popd
+
+          echo "asset_path=target/release/$ASSET_NAME" >> $GITHUB_OUTPUT
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GH_REPO: ${{ env.GITHUB_REPOSITORY }}
           RELEASE_TAG: ${{ needs.create_release.outputs.release_tag }}
+
+      - uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: ${{ steps.build.outputs.asset_path }}