Add build attestations for releases

This commit is contained in:
tooomm 2025-05-11 11:58:29 +02:00
parent 48b6e1590c
commit 2de5e9d932

View file

@ -180,6 +180,7 @@ jobs:
.ci/name_build.sh
- name: Upload artifact
id: upload_artifact
if: matrix.package != 'skip'
uses: actions/upload-artifact@v4
with:
@ -188,6 +189,7 @@ jobs:
if-no-files-found: error
- name: Upload to release
id: upload_release
if: matrix.package != 'skip' && needs.configure.outputs.tag != null
shell: bash
env:
@ -197,6 +199,20 @@ jobs:
asset_name: ${{steps.build.outputs.name}}
run: gh release upload "$tag_name" "$asset_path#$asset_name"
- name: Attest binary provenance
id: attestation
if: steps.upload_release.outcome == 'success'
uses: actions/attest-build-provenance@v2
with:
subject-path: ${{steps.build.outputs.path}}
subject-name: ${{steps.build.outputs.name}}
subject-digest: sha256:${{ steps.upload_artifact.outputs.artifact-digest }}
- name: Verify binary attestation
if: steps.attestation.outcome == 'success'
shell: bash
run: gh attestation verify ${{steps.build.outputs.path}} -R Cockatrice/Cockatrice
build-macos:
strategy:
fail-fast: false
@ -328,6 +344,7 @@ jobs:
fi
- name: Upload artifact
id: upload_artifact
if: matrix.make_package
uses: actions/upload-artifact@v4
with:
@ -336,6 +353,7 @@ jobs:
if-no-files-found: error
- name: Upload to release
id: upload_release
if: matrix.package != 'skip' && needs.configure.outputs.tag != null
shell: bash
env:
@ -345,6 +363,20 @@ jobs:
asset_name: ${{steps.build.outputs.name}}
run: gh release upload "$tag_name" "$asset_path#$asset_name"
- name: Attest binary provenance
id: attestation
if: steps.upload_release.outcome == 'success'
uses: actions/attest-build-provenance@v2
with:
subject-path: ${{steps.build.outputs.path}}
subject-name: ${{steps.build.outputs.name}}
subject-digest: sha256:${{ steps.upload_artifact.outputs.artifact-digest }}
- name: Verify binary attestation
if: steps.attestation.outcome == 'success'
shell: bash
run: gh attestation verify ${{steps.build.outputs.path}} -R Cockatrice/Cockatrice
build-windows:
strategy:
fail-fast: false
@ -411,6 +443,7 @@ jobs:
run: .ci/compile.sh --server --release --test --package
- name: Upload artifact
id: upload_artifact
uses: actions/upload-artifact@v4
with:
name: Windows${{matrix.target}}-installer
@ -427,6 +460,7 @@ jobs:
if-no-files-found: error
- name: Upload to release
id: upload_release
if: matrix.package != 'skip' && needs.configure.outputs.tag != null
shell: bash
env:
@ -435,3 +469,17 @@ jobs:
asset_path: ${{steps.build.outputs.path}}
asset_name: ${{steps.build.outputs.name}}
run: gh release upload "$tag_name" "$asset_path#$asset_name"
- name: Attest binary provenance
id: attestation
if: steps.upload_release.outcome == 'success'
uses: actions/attest-build-provenance@v2
with:
subject-path: ${{steps.build.outputs.path}}
subject-name: ${{steps.build.outputs.name}}
subject-digest: sha256:${{ steps.upload_artifact.outputs.artifact-digest }}
- name: Verify binary attestation
if: steps.attestation.outcome == 'success'
shell: bash
run: gh attestation verify ${{steps.build.outputs.path}} -R Cockatrice/Cockatrice