File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -10,10 +10,10 @@ jobs:
1010 name: Release
1111 runs-on: ubuntu-latest
1212 permissions:
13- attestations: write
1413 contents: write
15- id-token: write
1614 packages: write
15+ outputs:
16+ checksums: ${{ steps.capture_checksums.outputs.checksums }}
1717 steps:
1818 - name: Checkout head
1919 uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -57,10 +57,14 @@ jobs:
5757 HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
5858 - name: Clear Docker login session
5959 run: rm -f ${HOME}/.docker/config.json
60- - name: Generate artifact attestations
61- uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
62- with:
63- subject-checksums: dist/checksums.txt
60+ - name: Capture dist checksums in an output string
61+ id: capture_checksums
62+ run: |
63+ {
64+ echo "checksums<<EOF"
65+ cat dist/checksums.txt
66+ echo "EOF"
67+ } >>"$GITHUB_OUTPUT"
6468 - name: Generate AUR PKGBUILD
6569 run: ./scripts/generate_aur_pkgbuild.sh ${{ steps.git.outputs.tag_version }}
6670 - name: Publish AUR package
7377 ssh_private_key: ${{ secrets.AUR_SSH_PRIVATE_KEY }}
7478 commit_message: Release ${{ steps.git.outputs.tag_version }}
7579 force_push: true
80+
81+ attest:
82+ name: Attest
83+ needs:
84+ - publish_release
85+ permissions:
86+ attestations: write # to persist
87+ id-token: write # to sign
88+ uses: UpCloudLtd/workflows/.github/workflows/build-provenance.yaml@main
89+ with:
90+ subject-checksums: ${{ needs.publish_release.outputs.checksums }}
Original file line number Diff line number Diff line change @@ -138,10 +138,12 @@ and plain old checksum files are available for verifying release assets.
138138 ```sh
139139 gh attestation verify \
140140 /path/to/locally/downloaded/upcloud-cli_{{ latest_release }}_linux_x86_64.tar.gz \
141- --repo UpCloudLtd/upcloud-cli
141+ --repo UpCloudLtd/upcloud-cli \
142+ --signer-repo UpCloudLtd/workflows
142143 ```
143144
144145 Attestations are available starting from version 3.16.0.
146+ To verify attestations for versions older than 3.28.0, leave out `--signer-repo`.
145147
146148=== "Digests"
147149
You can’t perform that action at this time.
0 commit comments