From b54eac18b73a06d6e73a40259c4c78ff350eb8f3 Mon Sep 17 00:00:00 2001
From: Taylor Smock <tsmock@meta.com>
Date: Tue, 13 Aug 2024 11:14:27 -0600
Subject: [PATCH] Add permissions for attestation

Signed-off-by: Taylor Smock <tsmock@meta.com>
---
 .github/workflows/ant.yml | 12 ++++++++++++
 README.md                 |  3 +++
 2 files changed, 15 insertions(+)

diff --git a/.github/workflows/ant.yml b/.github/workflows/ant.yml
index e7a84f8..7c4f445 100644
--- a/.github/workflows/ant.yml
+++ b/.github/workflows/ant.yml
@@ -84,6 +84,9 @@ jobs:
     needs: [josm-build, create_tag]
     outputs:
       plugin_directory: ${{ steps.version.outputs.plugin_directory }}
+    permissions:
+      id-token: write
+      attestations: write
     steps:
     - uses: JOSM/JOSMPluginAction/actions/setup-ant@v2
       with:
@@ -113,6 +116,15 @@ jobs:
         cd $GITHUB_WORKSPACE/josm/plugins/${{ github.event.repository.name }}
         ant -noinput -buildfile build.xml -Dplugin.version=${{ steps.version.outputs.version }}
 
+    - name: Perform attestation (jar)
+      uses: actions/attest-build-provenance@v1
+      with:
+        subject-path: josm/dist/${{ inputs.plugin-jar-name }}.jar
+    - name: Perform attestation (sources)
+      uses: actions/attest-build-provenance@v1
+      with:
+        subject-path: josm/dist/${{ inputs.plugin-jar-name }}-sources.jar
+
     - name: Upload plugin build
       id: cache-plugin-build
       uses: actions/upload-artifact@v4
diff --git a/README.md b/README.md
index 60c0734..ab30684 100644
--- a/README.md
+++ b/README.md
@@ -42,6 +42,9 @@ on:
 
 jobs:
   call-workflow:
+    permissions:
+      id-token: write
+      attestations: write
     uses: JOSM/JOSMPluginAction/.github/workflows/ant.yml@v2
 ```