Skip to content

Add GitHub artifact attest to APK build/release workflows#316

Merged
Goooler merged 2 commits into
trunkfrom
copilot/port-pull-769
Jun 6, 2026
Merged

Add GitHub artifact attest to APK build/release workflows#316
Goooler merged 2 commits into
trunkfrom
copilot/port-pull-769

Conversation

Copilot AI commented Jun 6, 2026
edited
Loading

Copy link
Copy Markdown

This ports the provenance-hardening from MetaCubeX#769 into Tabby’s workflows so release APKs include verifiable GitHub artifact attestations. The change focuses on enabling OIDC-backed attestation generation in existing APK-producing jobs.

  • Workflow permissions

    • Added id-token: write and attestations: write to APK-producing jobs in:
      • .github/workflows/build.yml (build)
      • .github/workflows/release.yml (release)
    • Kept existing contents: write permission unchanged.

  • Provenance generation

    • Added actions/attest-build-provenance@v2 immediately after APK build steps in both workflows.
    • Configured attestation scope to generated release APKs:
      • app/build/outputs/apk/release/*.apk

  • Resulting behavior

    • Release artifacts produced by CI now emit signed provenance metadata tied to workflow/run context, improving downstream artifact verification.
permissions:
  id-token: write
  attestations: write
  contents: write

- name: Generate Artifact Attestation
  uses: actions/attest-build-provenance@v2
  with:
    subject-path: app/build/outputs/apk/release/*.apk

Copilot AI changed the title ci: add GitHub artifact attestations for APK workflows CI: add GitHub artifact attestations to APK build/release workflows Jun 6, 2026
Copilot AI requested a review from Goooler June 6, 2026 23:38
@Goooler Goooler marked this pull request as ready for review June 6, 2026 23:41
Goooler
Goooler approved these changes Jun 6, 2026
View reviewed changes

@Goooler Goooler left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/actions/attest-build-provenance/releases/tag/v4.0.0

Comment thread .github/workflows/build.yml Outdated
Comment thread .github/workflows/release.yml Outdated
Comment thread .github/workflows/release.yml
@Goooler
Apply suggestions from code review
df801cf 
Co-authored-by: Zongle Wang <wangzongler@gmail.com>
@Goooler Goooler changed the title CI: add GitHub artifact attestations to APK build/release workflows Add GitHub artifact attest to APK build/release workflows Jun 6, 2026
@Goooler Goooler merged commit 3947bcb into trunk Jun 6, 2026
4 checks passed
@Goooler Goooler deleted the copilot/port-pull-769 branch June 6, 2026 23:53
Goooler added a commit that referenced this pull request Jun 7, 2026
@Goooler
Revert "Add GitHub artifact attest to APK build/release workflows (#316
cee106e 
…)"

This reverts commit 3947bcb
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@Goooler Goooler Goooler approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@Goooler Goooler

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Goooler