From a541e8f2eabd47ed11253c8dd13e6758d8d6766b Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Thu, 25 Jun 2026 09:13:03 +0100 Subject: [PATCH] feat(ci): attest build provenance Add GitHub-native build-provenance attestation (actions/attest-build-provenance@v2, SHA-pinned) to the release workflow. Co-Authored-By: Claude Opus 4.8 --- .github/workflows/release.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8738aa37..138d9409 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -52,6 +52,10 @@ jobs: fi build: needs: prepare + permissions: + contents: write + id-token: write + attestations: write strategy: fail-fast: false matrix: @@ -98,6 +102,10 @@ jobs: run: | install -m 0755 _build/default/bin/main.exe \ "affinescript-${{ matrix.target }}" + - name: Attest build provenance + uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2 + with: + subject-path: 'affinescript-${{ matrix.target }}' - name: Upload the binary to the release env: GH_TOKEN: ${{ github.token }}