build: add provenance to lint and release workflow

evva-sfw · Aug 26, 2024 · 6032a6c · 6032a6c
1 parent 3601fb7
commit 6032a6c
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 6 deletions.
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -12,21 +12,25 @@ permissions:
 jobs:
   lint_typecheck:
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        node-version: [lts/*]
-        # See supported Node.js release schedule at https://nodejs.org/en/about/previous-releases
+    permissions:
+      id-token: write
+      attestations: write
     steps:
     - uses: actions/checkout@v3
-    - name: Use Node.js ${{ matrix.node-version }}
+    - name: Setup nodejs
       uses: actions/setup-node@v4
       with:
-        node-version: ${{ matrix.node-version }}
+        node-version: lts/*
         cache: 'yarn'
     - run: yarn
     - run: yarn lint
     - run: yarn typecheck
     - run: yarn pack --out '%s_%v.tgz'
+    - name: Upload Artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: package
+        path: '${{ github.workspace }}/*.tgz'
     - name: Attest
       uses: actions/attest-build-provenance@v1
       with:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -19,6 +19,7 @@ jobs:
       contents: write
       packages: write
       id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@v4
         with:
@@ -66,3 +67,8 @@ jobs:
         run: npx release-it ${{ github.event.inputs.input_version }} --ci
         env:
           BOT_GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
+
+      - name: Attest
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: '${{ github.workspace }}/*.tgz'