Generate artifact attestation

dart-musl · Feb 14, 2025 · fcb0a2a · fcb0a2a
1 parent 8c25fad
commit fcb0a2a
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 1 deletion.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -55,7 +55,7 @@ jobs:
           }
           EOF
           cd dart-sdk/sdk
-          ./tools/sdks/dart-sdk/bin/dart run /tmp/version.dart | tee -a $GITHUB_OUTPUT
+          ./tools/sdks/dart-sdk/bin/dart run /tmp/version.dart | tee -a "$GITHUB_OUTPUT"
 
       - name: Fetch Checked-in Dart SDK
         run: |
@@ -89,6 +89,10 @@ jobs:
 
     runs-on: ubuntu-latest
 
+    permissions:
+      id-token: write
+      attestations: write
+
     container:
       image: docker.io/library/alpine
 
@@ -151,6 +155,11 @@ jobs:
         run: |
           tar -czf dartsdk-linux-${{ matrix.target-arch }}-release.tar.gz -C dart-sdk/sdk/out/Release* -- dart-sdk
 
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: dartsdk-linux-${{ matrix.target-arch }}-release.tar.gz
+
       - name: Upload Artifact
         uses: actions/upload-artifact@v4
         with:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,6 +7,9 @@ on:
 
 jobs:
   build:
+    permissions:
+      id-token: write
+      attestations: write
     uses: ./.github/workflows/build.yml
     with:
       ref: ${{ github.ref_name }}

diff --git a/.github/workflows/schedule.yml b/.github/workflows/schedule.yml
@@ -58,6 +58,9 @@ jobs:
   stable:
     needs: [latest]
     if: needs.latest.outputs.stable-cache-hit != 'true'
+    permissions:
+      id-token: write
+      attestations: write
     uses: ./.github/workflows/build.yml
     with:
       ref: ${{ needs.latest.outputs.stable-version }}
@@ -66,6 +69,9 @@ jobs:
   beta:
     needs: [latest]
     if: needs.latest.outputs.beta-cache-hit != 'true' && needs.latest.outputs.beta-version != needs.latest.outputs.stable-version
+    permissions:
+      id-token: write
+      attestations: write
     uses: ./.github/workflows/build.yml
     with:
       ref: ${{ needs.latest.outputs.beta-version }}
@@ -74,13 +80,19 @@ jobs:
   dev:
     needs: [latest]
     if: needs.latest.outputs.dev-cache-hit != 'true' && needs.latest.outputs.dev-version != needs.latest.outputs.beta-version && needs.latest.outputs.dev-version != needs.latest.outputs.stable-version
+    permissions:
+      id-token: write
+      attestations: write
     uses: ./.github/workflows/build.yml
     with:
       ref: ${{ needs.latest.outputs.dev-version }}
     secrets: inherit
 
   edge:
     needs: [latest]
+    permissions:
+      id-token: write
+      attestations: write
     uses: ./.github/workflows/build.yml
     with:
       ref: ${{ needs.latest.outputs.edge-version }}