Skip to content

chore(ci): use reusable workflow to attest build provenance #655

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
scop wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(ci): use reusable workflow to attest build provenance #655

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 21 additions & 6 deletions .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,10 @@ jobs:
name: Release
runs-on: ubuntu-latest
permissions:
attestations: write
contents: write
id-token: write
packages: write
outputs:
checksums: ${{ steps.capture_checksums.outputs.checksums }}
steps:
- name: Checkout head
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
Expand Down Expand Up @@ -57,10 +57,14 @@ jobs:
HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
- name: Clear Docker login session
run: rm -f ${HOME}/.docker/config.json
- name: Generate artifact attestations
uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
with:
subject-checksums: dist/checksums.txt
- name: Capture dist checksums in an output string
id: capture_checksums
run: |
{
echo "checksums<<EOF"
cat dist/checksums.txt
echo "EOF"
} >>"$GITHUB_OUTPUT"
- name: Generate AUR PKGBUILD
run: ./scripts/generate_aur_pkgbuild.sh ${{ steps.git.outputs.tag_version }}
- name: Publish AUR package
Expand All @@ -73,3 +77,14 @@ jobs:
ssh_private_key: ${{ secrets.AUR_SSH_PRIVATE_KEY }}
commit_message: Release ${{ steps.git.outputs.tag_version }}
force_push: true

attest:
name: Attest
needs:
- publish_release
permissions:
attestations: write # to persist
id-token: write # to sign
uses: UpCloudLtd/workflows/.github/workflows/build-provenance.yaml@main
Copy link
Member Author

@scop scop Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Requires UpCloudLtd/workflows#40 merged in main over there.

with:
subject-checksums: ${{ needs.publish_release.outputs.checksums }}
4 changes: 3 additions & 1 deletion docs/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,10 +138,12 @@ and plain old checksum files are available for verifying release assets.
```sh
gh attestation verify \
/path/to/locally/downloaded/upcloud-cli_{{ latest_release }}_linux_x86_64.tar.gz \
--repo UpCloudLtd/upcloud-cli
--repo UpCloudLtd/upcloud-cli \
--signer-repo UpCloudLtd/workflows
```

Attestations are available starting from version 3.16.0.
To verify attestations for versions older than 3.28.0, leave out `--signer-repo`.

=== "Digests"

Expand Down