From 3b130822a5ca8e5144fa237471ebba2022239cf3 Mon Sep 17 00:00:00 2001 From: HuangTao <16779242@qq.com> Date: Sat, 6 Jun 2026 13:58:23 +0900 Subject: [PATCH 1/3] ci: add GitHub build provenance attestations Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/build-pre-release.yaml | 9 +++++++++ .github/workflows/build-release.yaml | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/.github/workflows/build-pre-release.yaml b/.github/workflows/build-pre-release.yaml index 185df7402a..e7f04ebb03 100644 --- a/.github/workflows/build-pre-release.yaml +++ b/.github/workflows/build-pre-release.yaml @@ -8,6 +8,10 @@ on: jobs: BuildPreRelease: runs-on: ubuntu-latest + permissions: + id-token: write + attestations: write + contents: write steps: - name: Checkout Repository uses: actions/checkout@v6 @@ -68,6 +72,11 @@ jobs: if: success() run: ./gradlew --no-daemon app:assembleAlphaRelease + - name: Generate Artifact Attestation + uses: actions/attest-build-provenance@v2 + with: + subject-path: app/build/outputs/apk/alpha/release/*.apk + # Delete old Prerelease-alpha - uses: dev-drprasad/delete-tag-and-release@v1.1 with: diff --git a/.github/workflows/build-release.yaml b/.github/workflows/build-release.yaml index 41beb49499..90774d326c 100644 --- a/.github/workflows/build-release.yaml +++ b/.github/workflows/build-release.yaml @@ -10,6 +10,10 @@ on: jobs: BuildRelease: runs-on: ubuntu-latest + permissions: + id-token: write + attestations: write + contents: write steps: - name: Checkout Repository uses: actions/checkout@v6 @@ -107,6 +111,11 @@ jobs: if: success() run: ./gradlew --no-daemon app:assembleMetaRelease + - name: Generate Artifact Attestation + uses: actions/attest-build-provenance@v2 + with: + subject-path: app/build/outputs/apk/meta/release/*.apk + - name: Tag Repo uses: richardsimko/update-tag@v1 with: From 544b15ebcd1c6144fcbac75a57e0308ab3ae961d Mon Sep 17 00:00:00 2001 From: HuangTao <16779242@qq.com> Date: Sat, 6 Jun 2026 14:17:11 +0900 Subject: [PATCH 2/3] ci(debug): add GitHub build provenance attestation for testing Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/build-debug.yaml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-debug.yaml b/.github/workflows/build-debug.yaml index f51a707d34..99800f1750 100644 --- a/.github/workflows/build-debug.yaml +++ b/.github/workflows/build-debug.yaml @@ -10,6 +10,10 @@ on: jobs: BuildDebug: runs-on: ubuntu-latest + permissions: + id-token: write + attestations: write + contents: read steps: - name: Checkout Repository uses: actions/checkout@v6 @@ -69,7 +73,12 @@ jobs: - name: Build if: success() run: ./gradlew --no-daemon app:assembleAlphaRelease - + + - name: Generate Artifact Attestation + uses: actions/attest-build-provenance@v2 + with: + subject-path: app/build/outputs/apk/alpha/release/*.apk + - name: Upload Aritfact (universal) uses: actions/upload-artifact@v7 if: ${{ success() }} From 619f4f68ee5e0fdb645bac36dbb767d620e2ae80 Mon Sep 17 00:00:00 2001 From: HuangTao <16779242@qq.com> Date: Sat, 6 Jun 2026 14:25:32 +0900 Subject: [PATCH 3/3] ci(debug): remove temporary provenance attestation from debug workflow Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/build-debug.yaml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/build-debug.yaml b/.github/workflows/build-debug.yaml index 99800f1750..907bc51007 100644 --- a/.github/workflows/build-debug.yaml +++ b/.github/workflows/build-debug.yaml @@ -10,10 +10,6 @@ on: jobs: BuildDebug: runs-on: ubuntu-latest - permissions: - id-token: write - attestations: write - contents: read steps: - name: Checkout Repository uses: actions/checkout@v6 @@ -74,11 +70,6 @@ jobs: if: success() run: ./gradlew --no-daemon app:assembleAlphaRelease - - name: Generate Artifact Attestation - uses: actions/attest-build-provenance@v2 - with: - subject-path: app/build/outputs/apk/alpha/release/*.apk - - name: Upload Aritfact (universal) uses: actions/upload-artifact@v7 if: ${{ success() }}