Add build attestations for releases (#5967)

2025-12-12 15:49:28 -08:00 · 2025-06-09 04:29:49 +02:00
parent 87767be4a6
commit aa41eb5da4
1 changed files with 48 additions and 0 deletions
--- a/.github/workflows/desktop-build.yml
+++ b/.github/workflows/desktop-build.yml
@@ -181,6 +181,7 @@ jobs:
          key: ${{ steps.ccache_restore.outputs.cache-primary-key }}

      - name: Upload artifact
+        id: upload_artifact
        if: matrix.package != 'skip'
        uses: actions/upload-artifact@v4
        with:
@@ -189,6 +190,7 @@ jobs:
          if-no-files-found: error

      - name: Upload to release
+        id: upload_release
        if: matrix.package != 'skip' && needs.configure.outputs.tag != null
        shell: bash
        env:
@@ -198,6 +200,20 @@ jobs:
          asset_name: ${{steps.build.outputs.name}}
        run: gh release upload "$tag_name" "$asset_path#$asset_name"

+      - name: Attest binary provenance
+        id: attestation
+        if: steps.upload_release.outcome == 'success'
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: ${{steps.build.outputs.path}}
+          subject-name: ${{steps.build.outputs.name}}
+          subject-digest: sha256:${{ steps.upload_artifact.outputs.artifact-digest }}
+
+      - name: Verify binary attestation
+        if: steps.attestation.outcome == 'success'
+        shell: bash
+        run: gh attestation verify ${{steps.build.outputs.path}} -R Cockatrice/Cockatrice
+
  build-macos:
    strategy:
      fail-fast: false
@@ -342,6 +358,7 @@ jobs:
          fi

      - name: Upload artifact
+        id: upload_artifact
        if: matrix.make_package
        uses: actions/upload-artifact@v4
        with:
@@ -350,6 +367,7 @@ jobs:
          if-no-files-found: error

      - name: Upload to release
+        id: upload_release
        if: matrix.make_package && needs.configure.outputs.tag != null
        shell: bash
        env:
@@ -359,6 +377,20 @@ jobs:
          asset_name: ${{steps.build.outputs.name}}
        run: gh release upload "$tag_name" "$asset_path#$asset_name"

+      - name: Attest binary provenance
+        id: attestation
+        if: steps.upload_release.outcome == 'success'
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: ${{steps.build.outputs.path}}
+          subject-name: ${{steps.build.outputs.name}}
+          subject-digest: sha256:${{ steps.upload_artifact.outputs.artifact-digest }}
+
+      - name: Verify binary attestation
+        if: steps.attestation.outcome == 'success'
+        shell: bash
+        run: gh attestation verify ${{steps.build.outputs.path}} -R Cockatrice/Cockatrice
+
  build-windows:
    strategy:
      fail-fast: false
@@ -422,6 +454,7 @@ jobs:
        run: .ci/compile.sh --server --release --test --package

      - name: Upload artifact
+        id: upload_artifact
        uses: actions/upload-artifact@v4
        with:
          name: Windows${{matrix.target}}-installer
@@ -438,6 +471,7 @@ jobs:
          if-no-files-found: error

      - name: Upload to release
+        id: upload_release
        if: needs.configure.outputs.tag != null
        shell: bash
        env:
@@ -446,3 +480,17 @@ jobs:
          asset_path: ${{steps.build.outputs.path}}
          asset_name: ${{steps.build.outputs.name}}
        run: gh release upload "$tag_name" "$asset_path#$asset_name"
+
+      - name: Attest binary provenance
+        id: attestation
+        if: steps.upload_release.outcome == 'success'
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: ${{steps.build.outputs.path}}
+          subject-name: ${{steps.build.outputs.name}}
+          subject-digest: sha256:${{ steps.upload_artifact.outputs.artifact-digest }}
+
+      - name: Verify binary attestation
+        if: steps.attestation.outcome == 'success'
+        shell: bash
+        run: gh attestation verify ${{steps.build.outputs.path}} -R Cockatrice/Cockatrice