From 689db93c999141d273b829bfa3f0072b10997518 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ville=20Skytt=C3=A4?= <ville.skytta@iki.fi>
Date: Mon, 14 Jul 2025 08:05:03 +0000
Subject: [PATCH] Generate artifact attestations for release assets (#1216)

---
 .github/workflows/create_release_assets.yml | 24 +++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/.github/workflows/create_release_assets.yml b/.github/workflows/create_release_assets.yml
index dd5fcccd..2f8f29d2 100644
--- a/.github/workflows/create_release_assets.yml
+++ b/.github/workflows/create_release_assets.yml
@@ -22,6 +22,13 @@ on:
 jobs:
   # Publish release files for CD native environments
   native_build:
+    permissions:
+      # Use to sign the release artifacts
+      id-token: write
+      # Used to upload release artifacts
+      contents: write
+      # Used to generate artifact attestations
+      attestations: write
     strategy:
       fail-fast: false
       matrix:
@@ -119,8 +126,20 @@ jobs:
           tag_name: ${{ steps.determine_tag_name.outputs.tag_name }}
           files: assets/*
 
+      - name: Generate artifact attestations
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: assets/*
+
   # Publish release files for non-CD-native environments
   cross_build:
+    permissions:
+      # Use to sign the release artifacts
+      id-token: write
+      # Used to upload release artifacts
+      contents: write
+      # Used to generate artifact attestations
+      attestations: write
     strategy:
       fail-fast: false
       matrix:
@@ -223,3 +242,8 @@ jobs:
         with:
           tag_name: ${{ steps.determine_tag_name.outputs.tag_name }}
           files: assets/*
+
+      - name: Generate artifact attestations
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: assets/*