From ef622f5ab60fd544ba3491568025b1bb677f2fb7 Mon Sep 17 00:00:00 2001
From: David Tolnay <dtolnay@gmail.com>
Date: Sun, 26 Jan 2025 12:48:26 -0800
Subject: [PATCH] Perform artifact attestation

---
 .github/workflows/bindgen.yml                         | 2 ++
 .github/workflows/buckle.yml                          | 2 ++
 .github/workflows/build.yml                           | 5 +++++
 .github/workflows/cargo-afl.yml                       | 2 ++
 .github/workflows/cargo-bloat.yml                     | 2 ++
 .github/workflows/cargo-docs-rs.yml                   | 2 ++
 .github/workflows/cargo-expand.yml                    | 2 ++
 .github/workflows/cargo-fuzz.yml                      | 2 ++
 .github/workflows/cargo-llvm-lines.yml                | 2 ++
 .github/workflows/cargo-outdated.yml                  | 2 ++
 .github/workflows/cargo-tally.yml                     | 2 ++
 .github/workflows/cargo-unlock.yml                    | 2 ++
 .github/workflows/cargo-web.yml                       | 2 ++
 .github/workflows/cbindgen.yml                        | 2 ++
 .github/workflows/cxxbridge-cmd.yml                   | 2 ++
 .github/workflows/dircnt.yml                          | 2 ++
 .github/workflows/dotslash.yml                        | 2 ++
 .github/workflows/faketty.yml                         | 2 ++
 .github/workflows/honggfuzz.yml                       | 2 ++
 .github/workflows/mdbook.yml                          | 2 ++
 .github/workflows/reindeer.yml                        | 2 ++
 .github/workflows/rustup-toolchain-install-master.yml | 2 ++
 .github/workflows/sha1dir.yml                         | 2 ++
 .github/workflows/star-history.yml                    | 2 ++
 .github/workflows/taplo-cli.yml                       | 2 ++
 25 files changed, 53 insertions(+)

diff --git a/.github/workflows/bindgen.yml b/.github/workflows/bindgen.yml
index 865de82..26d1800 100644
--- a/.github/workflows/bindgen.yml
+++ b/.github/workflows/bindgen.yml
@@ -13,5 +13,7 @@ jobs:
       crate: bindgen-cli
       bin: bindgen
     permissions:
+      id-token: write
       contents: write
+      attestations: write
     secrets: inherit
diff --git a/.github/workflows/buckle.yml b/.github/workflows/buckle.yml
index 286321c..cc92e63 100644
--- a/.github/workflows/buckle.yml
+++ b/.github/workflows/buckle.yml
@@ -12,5 +12,7 @@ jobs:
     with:
       crate: buckle
     permissions:
+      id-token: write
       contents: write
+      attestations: write
     secrets: inherit
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 2616d53..d8178f3 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -38,7 +38,9 @@ jobs:
     name: ${{inputs.crate}}
     runs-on: ubuntu-latest
     permissions:
+      id-token: write
       contents: write
+      attestations: write
     timeout-minutes: 45
     steps:
       - uses: actions/checkout@v4
@@ -63,6 +65,9 @@ jobs:
       - run: gpg --output ${{inputs.bin || inputs.crate}}.sig --detach-sig ${{steps.which.outputs.which}}
       - run: gpg --output signing-key.gpg --dearmor signing-key.asc
       - run: gpg --no-default-keyring --keyring ./signing-key.gpg --verify ${{inputs.bin || inputs.crate}}.sig ${{steps.which.outputs.which}}
+      - uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: ${{steps.which.outputs.which}}
       - run: git tag -d ${{inputs.crate}} || true
       - run: git tag ${{inputs.crate}}
       - run: git push origin tag ${{inputs.crate}} --force
diff --git a/.github/workflows/cargo-afl.yml b/.github/workflows/cargo-afl.yml
index 9729a4b..63ba093 100644
--- a/.github/workflows/cargo-afl.yml
+++ b/.github/workflows/cargo-afl.yml
@@ -12,5 +12,7 @@ jobs:
     with:
       crate: cargo-afl
     permissions:
+      id-token: write
       contents: write
+      attestations: write
     secrets: inherit
diff --git a/.github/workflows/cargo-bloat.yml b/.github/workflows/cargo-bloat.yml
index 6e7b45c..de3c6da 100644
--- a/.github/workflows/cargo-bloat.yml
+++ b/.github/workflows/cargo-bloat.yml
@@ -12,5 +12,7 @@ jobs:
     with:
       crate: cargo-bloat
     permissions:
+      id-token: write
       contents: write
+      attestations: write
     secrets: inherit
diff --git a/.github/workflows/cargo-docs-rs.yml b/.github/workflows/cargo-docs-rs.yml
index 8c9ac79..8ba03ab 100644
--- a/.github/workflows/cargo-docs-rs.yml
+++ b/.github/workflows/cargo-docs-rs.yml
@@ -12,5 +12,7 @@ jobs:
     with:
       crate: cargo-docs-rs
     permissions:
+      id-token: write
       contents: write
+      attestations: write
     secrets: inherit
diff --git a/.github/workflows/cargo-expand.yml b/.github/workflows/cargo-expand.yml
index 2477051..a229b0b 100644
--- a/.github/workflows/cargo-expand.yml
+++ b/.github/workflows/cargo-expand.yml
@@ -12,5 +12,7 @@ jobs:
     with:
       crate: cargo-expand
     permissions:
+      id-token: write
       contents: write
+      attestations: write
     secrets: inherit
diff --git a/.github/workflows/cargo-fuzz.yml b/.github/workflows/cargo-fuzz.yml
index 71bb384..8d48884 100644
--- a/.github/workflows/cargo-fuzz.yml
+++ b/.github/workflows/cargo-fuzz.yml
@@ -12,5 +12,7 @@ jobs:
     with:
       crate: cargo-fuzz
     permissions:
+      id-token: write
       contents: write
+      attestations: write
     secrets: inherit
diff --git a/.github/workflows/cargo-llvm-lines.yml b/.github/workflows/cargo-llvm-lines.yml
index 674177e..b0b41e8 100644
--- a/.github/workflows/cargo-llvm-lines.yml
+++ b/.github/workflows/cargo-llvm-lines.yml
@@ -12,5 +12,7 @@ jobs:
     with:
       crate: cargo-llvm-lines
     permissions:
+      id-token: write
       contents: write
+      attestations: write
     secrets: inherit
diff --git a/.github/workflows/cargo-outdated.yml b/.github/workflows/cargo-outdated.yml
index e510ed5..0eeaff3 100644
--- a/.github/workflows/cargo-outdated.yml
+++ b/.github/workflows/cargo-outdated.yml
@@ -12,5 +12,7 @@ jobs:
     with:
       crate: cargo-outdated
     permissions:
+      id-token: write
       contents: write
+      attestations: write
     secrets: inherit
diff --git a/.github/workflows/cargo-tally.yml b/.github/workflows/cargo-tally.yml
index 70081cc..5fb40c1 100644
--- a/.github/workflows/cargo-tally.yml
+++ b/.github/workflows/cargo-tally.yml
@@ -12,5 +12,7 @@ jobs:
     with:
       crate: cargo-tally
     permissions:
+      id-token: write
       contents: write
+      attestations: write
     secrets: inherit
diff --git a/.github/workflows/cargo-unlock.yml b/.github/workflows/cargo-unlock.yml
index e744f8f..ed1433a 100644
--- a/.github/workflows/cargo-unlock.yml
+++ b/.github/workflows/cargo-unlock.yml
@@ -12,5 +12,7 @@ jobs:
     with:
       crate: cargo-unlock
     permissions:
+      id-token: write
       contents: write
+      attestations: write
     secrets: inherit
diff --git a/.github/workflows/cargo-web.yml b/.github/workflows/cargo-web.yml
index f651b81..29b1220 100644
--- a/.github/workflows/cargo-web.yml
+++ b/.github/workflows/cargo-web.yml
@@ -12,5 +12,7 @@ jobs:
     with:
       crate: cargo-web
     permissions:
+      id-token: write
       contents: write
+      attestations: write
     secrets: inherit
diff --git a/.github/workflows/cbindgen.yml b/.github/workflows/cbindgen.yml
index 6ef9866..73d59a6 100644
--- a/.github/workflows/cbindgen.yml
+++ b/.github/workflows/cbindgen.yml
@@ -12,5 +12,7 @@ jobs:
     with:
       crate: cbindgen
     permissions:
+      id-token: write
       contents: write
+      attestations: write
     secrets: inherit
diff --git a/.github/workflows/cxxbridge-cmd.yml b/.github/workflows/cxxbridge-cmd.yml
index b970c77..f94a7e0 100644
--- a/.github/workflows/cxxbridge-cmd.yml
+++ b/.github/workflows/cxxbridge-cmd.yml
@@ -13,5 +13,7 @@ jobs:
       crate: cxxbridge-cmd
       bin: cxxbridge
     permissions:
+      id-token: write
       contents: write
+      attestations: write
     secrets: inherit
diff --git a/.github/workflows/dircnt.yml b/.github/workflows/dircnt.yml
index 03f2a16..ed269b6 100644
--- a/.github/workflows/dircnt.yml
+++ b/.github/workflows/dircnt.yml
@@ -12,5 +12,7 @@ jobs:
     with:
       crate: dircnt
     permissions:
+      id-token: write
       contents: write
+      attestations: write
     secrets: inherit
diff --git a/.github/workflows/dotslash.yml b/.github/workflows/dotslash.yml
index b4dc6c6..29ffba7 100644
--- a/.github/workflows/dotslash.yml
+++ b/.github/workflows/dotslash.yml
@@ -12,5 +12,7 @@ jobs:
     with:
       crate: dotslash
     permissions:
+      id-token: write
       contents: write
+      attestations: write
     secrets: inherit
diff --git a/.github/workflows/faketty.yml b/.github/workflows/faketty.yml
index 1b016e0..927ebc4 100644
--- a/.github/workflows/faketty.yml
+++ b/.github/workflows/faketty.yml
@@ -12,5 +12,7 @@ jobs:
     with:
       crate: faketty
     permissions:
+      id-token: write
       contents: write
+      attestations: write
     secrets: inherit
diff --git a/.github/workflows/honggfuzz.yml b/.github/workflows/honggfuzz.yml
index da1a7e3..a2c6842 100644
--- a/.github/workflows/honggfuzz.yml
+++ b/.github/workflows/honggfuzz.yml
@@ -13,5 +13,7 @@ jobs:
       crate: honggfuzz
       bin: cargo-hfuzz
     permissions:
+      id-token: write
       contents: write
+      attestations: write
     secrets: inherit
diff --git a/.github/workflows/mdbook.yml b/.github/workflows/mdbook.yml
index 12afc99..4e1cfdf 100644
--- a/.github/workflows/mdbook.yml
+++ b/.github/workflows/mdbook.yml
@@ -12,5 +12,7 @@ jobs:
     with:
       crate: mdbook
     permissions:
+      id-token: write
       contents: write
+      attestations: write
     secrets: inherit
diff --git a/.github/workflows/reindeer.yml b/.github/workflows/reindeer.yml
index 765d6d2..c29253c 100644
--- a/.github/workflows/reindeer.yml
+++ b/.github/workflows/reindeer.yml
@@ -13,5 +13,7 @@ jobs:
       crate: reindeer
       git: facebookincubator/reindeer
     permissions:
+      id-token: write
       contents: write
+      attestations: write
     secrets: inherit
diff --git a/.github/workflows/rustup-toolchain-install-master.yml b/.github/workflows/rustup-toolchain-install-master.yml
index a581976..8314214 100644
--- a/.github/workflows/rustup-toolchain-install-master.yml
+++ b/.github/workflows/rustup-toolchain-install-master.yml
@@ -14,5 +14,7 @@ jobs:
       git: dtolnay-contrib/rustup-toolchain-install-master
       ref: nodefault
     permissions:
+      id-token: write
       contents: write
+      attestations: write
     secrets: inherit
diff --git a/.github/workflows/sha1dir.yml b/.github/workflows/sha1dir.yml
index be9c608..afb75bf 100644
--- a/.github/workflows/sha1dir.yml
+++ b/.github/workflows/sha1dir.yml
@@ -12,5 +12,7 @@ jobs:
     with:
       crate: sha1dir
     permissions:
+      id-token: write
       contents: write
+      attestations: write
     secrets: inherit
diff --git a/.github/workflows/star-history.yml b/.github/workflows/star-history.yml
index 7b6831d..b46a66a 100644
--- a/.github/workflows/star-history.yml
+++ b/.github/workflows/star-history.yml
@@ -12,5 +12,7 @@ jobs:
     with:
       crate: star-history
     permissions:
+      id-token: write
       contents: write
+      attestations: write
     secrets: inherit
diff --git a/.github/workflows/taplo-cli.yml b/.github/workflows/taplo-cli.yml
index 027f4f1..8181b42 100644
--- a/.github/workflows/taplo-cli.yml
+++ b/.github/workflows/taplo-cli.yml
@@ -14,5 +14,7 @@ jobs:
       bin: taplo
       locked: true
     permissions:
+      id-token: write
       contents: write
+      attestations: write
     secrets: inherit