Add write permission for build provenance attestation #14
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| push: | |
| tags: | |
| - "v*.*.*" | |
| workflow_dispatch: | |
| name: Build and publish executable | |
| permissions: | |
| contents: write | |
| pages: write | |
| id-token: write | |
| attestations: write | |
| jobs: | |
| build_publish: | |
| name: Bundle x86_64 | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - name: Build bundle | |
| run: cd dist && sudo ./build.sh --dist --bundle | |
| # Support verifiable builds | |
| - name: Compute hashes | |
| shell: bash | |
| run: | | |
| echo "--- BEGIN SHA256SUM ---" | |
| sha256sum dist/bin/* | |
| echo "--- END SHA256SUM ---" | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: bin | |
| path: dist/bin/* | |
| - name: Generate artifact attestation | |
| uses: actions/attest-build-provenance@v1 | |
| with: | |
| subject-path: dist/bin/* | |
| - name: Publish bundle | |
| uses: softprops/action-gh-release@v1 | |
| with: | |
| name: Automated build of ${{ github.ref }} | |
| files: dist/bin/* | |
| draft: true | |
| prerelease: false | |
| body: This is an automated build of commit ${{ github.ref }}. |