Attestation (#1376)

* try attestation on windows continuous releases. * add attestation for macos, linux continuous releases.
GPSBabel · Nov 10, 2024 · 6e3642f · 6e3642f
1 parent 036988c
commit 6e3642f
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 1 deletion.
diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
@@ -13,6 +13,10 @@ on:
 jobs:
   macos:
     name: macOS Build
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
@@ -94,6 +98,12 @@ jobs:
         sudo xcode-select --switch /Applications/Xcode_${{ matrix.XCODE_VERSION }}.app
         ./tools/ci_script_osx.sh . ${{ matrix.QT_VERSION }} ${{ matrix.GENERATOR }}
 
+    - name: Generate artifact attestation
+      if: ( github.event_name == 'push' ) && ( github.ref == 'refs/heads/master' ) && matrix.RELEASE
+      uses: actions/attest-build-provenance@v1
+      with:
+        subject-path: 'gui/GPSBabel-*.dmg'
+
     - name: Deploy
       # This only handles continous releases now, for other events artifacts may be saved in
       # the 'Upload Artifacts' step.
@@ -102,7 +112,6 @@ jobs:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         RELEASE_NAME: Continuous-${{ runner.os }}
       run: |
-        echo GITHUB_REF: $GITHUB_REF
         ./tools/uploadtool/upload_github.sh gui/GPSBabel-*.dmg
 
     - name: 'Upload Artifacts'

diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml
@@ -86,6 +86,10 @@ jobs:
 
   snap:
     name: snap Build
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
     runs-on: ubuntu-latest
     outputs:
       snap-file: ${{ steps.build-snap.outputs.snap }}
@@ -106,6 +110,12 @@ jobs:
         /snap/bin/gpsbabel -D3 || true
         ./testo -p /snap/bin/gpsbabel 
 
+    - name: Generate artifact attestation
+      if: ( github.event_name == 'push' ) && ( github.ref == 'refs/heads/master' )
+      uses: actions/attest-build-provenance@v1
+      with:
+        subject-path: ${{ steps.build-snap.outputs.snap }}
+
     - name: Deploy
       # This only handles continous releases now, for other events artifacts may be saved in
       # the 'Upload Artifacts' step.

diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
@@ -14,6 +14,10 @@ jobs:
 
   windows:
     name: windows Build
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
@@ -98,6 +102,12 @@ jobs:
         PNAME=./bld/gui/package/gpsbabel.exe GBTEMP=./gbtemp ./testo 2>&1
         PNAME=./bld/gui/package/gpsbabel.exe GBTEMP=./gbtemp ./test_encoding_utf8 2>&1
 
+    - name: Generate artifact attestation
+      if: ( github.event_name == 'push' ) && ( github.ref == 'refs/heads/master' ) && matrix.RELEASE
+      uses: actions/attest-build-provenance@v1
+      with:
+        subject-path: 'bld/gui/GPSBabel-*-Setup.exe'
+
     - name: Deploy
       # This only handles continous releases now, for other events artifacts may be saved in
       # the 'Upload Artifacts' step.