From b95e027a5ac2431310a9fbc9e54926331d52fde5 Mon Sep 17 00:00:00 2001 From: Daniel Baker Date: Mon, 6 Jul 2026 20:30:14 -0700 Subject: [PATCH] ci: attest build provenance for release artifacts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sign the GitHub release artifacts (the branding guide PDF and the public logos in result-assets) with actions/attest-build-provenance, so consumers can verify their origin with `gh attestation verify -R NixOS/branding`. Grants the release job id-token: write + attestations: write (both scoped to that job). Complements the npm package's trusted-publishing provenance — now both distribution channels carry verifiable provenance. --- .github/workflows/release-guide.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/release-guide.yml b/.github/workflows/release-guide.yml index df96d58..9bf87e6 100644 --- a/.github/workflows/release-guide.yml +++ b/.github/workflows/release-guide.yml @@ -25,6 +25,8 @@ jobs: runs-on: ubuntu-latest permissions: contents: write # gh release create publishes the release + id-token: write # sign the build-provenance attestation via OIDC + attestations: write # write the build-provenance attestation steps: - name: Checkout uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 @@ -54,6 +56,10 @@ jobs: nix build .\#nixos-branding.release-assets \ --print-build-logs \ --out-link result-assets + - name: Attest build provenance + uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 # v4.1.1 + with: + subject-path: result-assets/* - name: Get latest release info id: query-release-info uses: release-flow/keep-a-changelog-action@74931dec7ecdbfc8e38ac9ae7e8dd84c08db2f32 # v3.0.0