3
0
Fork 0
mirror of https://github.com/dtolnay/install.git synced 2025-01-31 07:01:20 +01:00

Merge pull request #21 from dtolnay/attestation

Perform artifact attestation
This commit is contained in:
David Tolnay 2025-01-26 13:09:46 -08:00 committed by GitHub
commit 8dc199752a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
25 changed files with 53 additions and 0 deletions

View file

@ -13,5 +13,7 @@ jobs:
crate: bindgen-cli crate: bindgen-cli
bin: bindgen bin: bindgen
permissions: permissions:
id-token: write
contents: write contents: write
attestations: write
secrets: inherit secrets: inherit

View file

@ -12,5 +12,7 @@ jobs:
with: with:
crate: buckle crate: buckle
permissions: permissions:
id-token: write
contents: write contents: write
attestations: write
secrets: inherit secrets: inherit

View file

@ -38,7 +38,9 @@ jobs:
name: ${{inputs.crate}} name: ${{inputs.crate}}
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:
id-token: write
contents: write contents: write
attestations: write
timeout-minutes: 45 timeout-minutes: 45
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
@ -63,6 +65,9 @@ jobs:
- run: gpg --output ${{inputs.bin || inputs.crate}}.sig --detach-sig ${{steps.which.outputs.which}} - run: gpg --output ${{inputs.bin || inputs.crate}}.sig --detach-sig ${{steps.which.outputs.which}}
- run: gpg --output signing-key.gpg --dearmor signing-key.asc - run: gpg --output signing-key.gpg --dearmor signing-key.asc
- run: gpg --no-default-keyring --keyring ./signing-key.gpg --verify ${{inputs.bin || inputs.crate}}.sig ${{steps.which.outputs.which}} - run: gpg --no-default-keyring --keyring ./signing-key.gpg --verify ${{inputs.bin || inputs.crate}}.sig ${{steps.which.outputs.which}}
- uses: actions/attest-build-provenance@v2
with:
subject-path: ${{steps.which.outputs.which}}
- run: git tag -d ${{inputs.crate}} || true - run: git tag -d ${{inputs.crate}} || true
- run: git tag ${{inputs.crate}} - run: git tag ${{inputs.crate}}
- run: git push origin tag ${{inputs.crate}} --force - run: git push origin tag ${{inputs.crate}} --force

View file

@ -12,5 +12,7 @@ jobs:
with: with:
crate: cargo-afl crate: cargo-afl
permissions: permissions:
id-token: write
contents: write contents: write
attestations: write
secrets: inherit secrets: inherit

View file

@ -12,5 +12,7 @@ jobs:
with: with:
crate: cargo-bloat crate: cargo-bloat
permissions: permissions:
id-token: write
contents: write contents: write
attestations: write
secrets: inherit secrets: inherit

View file

@ -12,5 +12,7 @@ jobs:
with: with:
crate: cargo-docs-rs crate: cargo-docs-rs
permissions: permissions:
id-token: write
contents: write contents: write
attestations: write
secrets: inherit secrets: inherit

View file

@ -12,5 +12,7 @@ jobs:
with: with:
crate: cargo-expand crate: cargo-expand
permissions: permissions:
id-token: write
contents: write contents: write
attestations: write
secrets: inherit secrets: inherit

View file

@ -12,5 +12,7 @@ jobs:
with: with:
crate: cargo-fuzz crate: cargo-fuzz
permissions: permissions:
id-token: write
contents: write contents: write
attestations: write
secrets: inherit secrets: inherit

View file

@ -12,5 +12,7 @@ jobs:
with: with:
crate: cargo-llvm-lines crate: cargo-llvm-lines
permissions: permissions:
id-token: write
contents: write contents: write
attestations: write
secrets: inherit secrets: inherit

View file

@ -12,5 +12,7 @@ jobs:
with: with:
crate: cargo-outdated crate: cargo-outdated
permissions: permissions:
id-token: write
contents: write contents: write
attestations: write
secrets: inherit secrets: inherit

View file

@ -12,5 +12,7 @@ jobs:
with: with:
crate: cargo-tally crate: cargo-tally
permissions: permissions:
id-token: write
contents: write contents: write
attestations: write
secrets: inherit secrets: inherit

View file

@ -12,5 +12,7 @@ jobs:
with: with:
crate: cargo-unlock crate: cargo-unlock
permissions: permissions:
id-token: write
contents: write contents: write
attestations: write
secrets: inherit secrets: inherit

View file

@ -12,5 +12,7 @@ jobs:
with: with:
crate: cargo-web crate: cargo-web
permissions: permissions:
id-token: write
contents: write contents: write
attestations: write
secrets: inherit secrets: inherit

View file

@ -12,5 +12,7 @@ jobs:
with: with:
crate: cbindgen crate: cbindgen
permissions: permissions:
id-token: write
contents: write contents: write
attestations: write
secrets: inherit secrets: inherit

View file

@ -13,5 +13,7 @@ jobs:
crate: cxxbridge-cmd crate: cxxbridge-cmd
bin: cxxbridge bin: cxxbridge
permissions: permissions:
id-token: write
contents: write contents: write
attestations: write
secrets: inherit secrets: inherit

View file

@ -12,5 +12,7 @@ jobs:
with: with:
crate: dircnt crate: dircnt
permissions: permissions:
id-token: write
contents: write contents: write
attestations: write
secrets: inherit secrets: inherit

View file

@ -12,5 +12,7 @@ jobs:
with: with:
crate: dotslash crate: dotslash
permissions: permissions:
id-token: write
contents: write contents: write
attestations: write
secrets: inherit secrets: inherit

View file

@ -12,5 +12,7 @@ jobs:
with: with:
crate: faketty crate: faketty
permissions: permissions:
id-token: write
contents: write contents: write
attestations: write
secrets: inherit secrets: inherit

View file

@ -13,5 +13,7 @@ jobs:
crate: honggfuzz crate: honggfuzz
bin: cargo-hfuzz bin: cargo-hfuzz
permissions: permissions:
id-token: write
contents: write contents: write
attestations: write
secrets: inherit secrets: inherit

View file

@ -12,5 +12,7 @@ jobs:
with: with:
crate: mdbook crate: mdbook
permissions: permissions:
id-token: write
contents: write contents: write
attestations: write
secrets: inherit secrets: inherit

View file

@ -13,5 +13,7 @@ jobs:
crate: reindeer crate: reindeer
git: facebookincubator/reindeer git: facebookincubator/reindeer
permissions: permissions:
id-token: write
contents: write contents: write
attestations: write
secrets: inherit secrets: inherit

View file

@ -14,5 +14,7 @@ jobs:
git: dtolnay-contrib/rustup-toolchain-install-master git: dtolnay-contrib/rustup-toolchain-install-master
ref: nodefault ref: nodefault
permissions: permissions:
id-token: write
contents: write contents: write
attestations: write
secrets: inherit secrets: inherit

View file

@ -12,5 +12,7 @@ jobs:
with: with:
crate: sha1dir crate: sha1dir
permissions: permissions:
id-token: write
contents: write contents: write
attestations: write
secrets: inherit secrets: inherit

View file

@ -12,5 +12,7 @@ jobs:
with: with:
crate: star-history crate: star-history
permissions: permissions:
id-token: write
contents: write contents: write
attestations: write
secrets: inherit secrets: inherit

View file

@ -14,5 +14,7 @@ jobs:
bin: taplo bin: taplo
locked: true locked: true
permissions: permissions:
id-token: write
contents: write contents: write
attestations: write
secrets: inherit secrets: inherit