From ef622f5ab60fd544ba3491568025b1bb677f2fb7 Mon Sep 17 00:00:00 2001 From: David Tolnay Date: Sun, 26 Jan 2025 12:48:26 -0800 Subject: [PATCH] Perform artifact attestation --- .github/workflows/bindgen.yml | 2 ++ .github/workflows/buckle.yml | 2 ++ .github/workflows/build.yml | 5 +++++ .github/workflows/cargo-afl.yml | 2 ++ .github/workflows/cargo-bloat.yml | 2 ++ .github/workflows/cargo-docs-rs.yml | 2 ++ .github/workflows/cargo-expand.yml | 2 ++ .github/workflows/cargo-fuzz.yml | 2 ++ .github/workflows/cargo-llvm-lines.yml | 2 ++ .github/workflows/cargo-outdated.yml | 2 ++ .github/workflows/cargo-tally.yml | 2 ++ .github/workflows/cargo-unlock.yml | 2 ++ .github/workflows/cargo-web.yml | 2 ++ .github/workflows/cbindgen.yml | 2 ++ .github/workflows/cxxbridge-cmd.yml | 2 ++ .github/workflows/dircnt.yml | 2 ++ .github/workflows/dotslash.yml | 2 ++ .github/workflows/faketty.yml | 2 ++ .github/workflows/honggfuzz.yml | 2 ++ .github/workflows/mdbook.yml | 2 ++ .github/workflows/reindeer.yml | 2 ++ .github/workflows/rustup-toolchain-install-master.yml | 2 ++ .github/workflows/sha1dir.yml | 2 ++ .github/workflows/star-history.yml | 2 ++ .github/workflows/taplo-cli.yml | 2 ++ 25 files changed, 53 insertions(+) diff --git a/.github/workflows/bindgen.yml b/.github/workflows/bindgen.yml index 865de82..26d1800 100644 --- a/.github/workflows/bindgen.yml +++ b/.github/workflows/bindgen.yml @@ -13,5 +13,7 @@ jobs: crate: bindgen-cli bin: bindgen permissions: + id-token: write contents: write + attestations: write secrets: inherit diff --git a/.github/workflows/buckle.yml b/.github/workflows/buckle.yml index 286321c..cc92e63 100644 --- a/.github/workflows/buckle.yml +++ b/.github/workflows/buckle.yml @@ -12,5 +12,7 @@ jobs: with: crate: buckle permissions: + id-token: write contents: write + attestations: write secrets: inherit diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2616d53..d8178f3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -38,7 +38,9 @@ jobs: name: ${{inputs.crate}} runs-on: ubuntu-latest permissions: + id-token: write contents: write + attestations: write timeout-minutes: 45 steps: - uses: actions/checkout@v4 @@ -63,6 +65,9 @@ jobs: - run: gpg --output ${{inputs.bin || inputs.crate}}.sig --detach-sig ${{steps.which.outputs.which}} - run: gpg --output signing-key.gpg --dearmor signing-key.asc - run: gpg --no-default-keyring --keyring ./signing-key.gpg --verify ${{inputs.bin || inputs.crate}}.sig ${{steps.which.outputs.which}} + - uses: actions/attest-build-provenance@v2 + with: + subject-path: ${{steps.which.outputs.which}} - run: git tag -d ${{inputs.crate}} || true - run: git tag ${{inputs.crate}} - run: git push origin tag ${{inputs.crate}} --force diff --git a/.github/workflows/cargo-afl.yml b/.github/workflows/cargo-afl.yml index 9729a4b..63ba093 100644 --- a/.github/workflows/cargo-afl.yml +++ b/.github/workflows/cargo-afl.yml @@ -12,5 +12,7 @@ jobs: with: crate: cargo-afl permissions: + id-token: write contents: write + attestations: write secrets: inherit diff --git a/.github/workflows/cargo-bloat.yml b/.github/workflows/cargo-bloat.yml index 6e7b45c..de3c6da 100644 --- a/.github/workflows/cargo-bloat.yml +++ b/.github/workflows/cargo-bloat.yml @@ -12,5 +12,7 @@ jobs: with: crate: cargo-bloat permissions: + id-token: write contents: write + attestations: write secrets: inherit diff --git a/.github/workflows/cargo-docs-rs.yml b/.github/workflows/cargo-docs-rs.yml index 8c9ac79..8ba03ab 100644 --- a/.github/workflows/cargo-docs-rs.yml +++ b/.github/workflows/cargo-docs-rs.yml @@ -12,5 +12,7 @@ jobs: with: crate: cargo-docs-rs permissions: + id-token: write contents: write + attestations: write secrets: inherit diff --git a/.github/workflows/cargo-expand.yml b/.github/workflows/cargo-expand.yml index 2477051..a229b0b 100644 --- a/.github/workflows/cargo-expand.yml +++ b/.github/workflows/cargo-expand.yml @@ -12,5 +12,7 @@ jobs: with: crate: cargo-expand permissions: + id-token: write contents: write + attestations: write secrets: inherit diff --git a/.github/workflows/cargo-fuzz.yml b/.github/workflows/cargo-fuzz.yml index 71bb384..8d48884 100644 --- a/.github/workflows/cargo-fuzz.yml +++ b/.github/workflows/cargo-fuzz.yml @@ -12,5 +12,7 @@ jobs: with: crate: cargo-fuzz permissions: + id-token: write contents: write + attestations: write secrets: inherit diff --git a/.github/workflows/cargo-llvm-lines.yml b/.github/workflows/cargo-llvm-lines.yml index 674177e..b0b41e8 100644 --- a/.github/workflows/cargo-llvm-lines.yml +++ b/.github/workflows/cargo-llvm-lines.yml @@ -12,5 +12,7 @@ jobs: with: crate: cargo-llvm-lines permissions: + id-token: write contents: write + attestations: write secrets: inherit diff --git a/.github/workflows/cargo-outdated.yml b/.github/workflows/cargo-outdated.yml index e510ed5..0eeaff3 100644 --- a/.github/workflows/cargo-outdated.yml +++ b/.github/workflows/cargo-outdated.yml @@ -12,5 +12,7 @@ jobs: with: crate: cargo-outdated permissions: + id-token: write contents: write + attestations: write secrets: inherit diff --git a/.github/workflows/cargo-tally.yml b/.github/workflows/cargo-tally.yml index 70081cc..5fb40c1 100644 --- a/.github/workflows/cargo-tally.yml +++ b/.github/workflows/cargo-tally.yml @@ -12,5 +12,7 @@ jobs: with: crate: cargo-tally permissions: + id-token: write contents: write + attestations: write secrets: inherit diff --git a/.github/workflows/cargo-unlock.yml b/.github/workflows/cargo-unlock.yml index e744f8f..ed1433a 100644 --- a/.github/workflows/cargo-unlock.yml +++ b/.github/workflows/cargo-unlock.yml @@ -12,5 +12,7 @@ jobs: with: crate: cargo-unlock permissions: + id-token: write contents: write + attestations: write secrets: inherit diff --git a/.github/workflows/cargo-web.yml b/.github/workflows/cargo-web.yml index f651b81..29b1220 100644 --- a/.github/workflows/cargo-web.yml +++ b/.github/workflows/cargo-web.yml @@ -12,5 +12,7 @@ jobs: with: crate: cargo-web permissions: + id-token: write contents: write + attestations: write secrets: inherit diff --git a/.github/workflows/cbindgen.yml b/.github/workflows/cbindgen.yml index 6ef9866..73d59a6 100644 --- a/.github/workflows/cbindgen.yml +++ b/.github/workflows/cbindgen.yml @@ -12,5 +12,7 @@ jobs: with: crate: cbindgen permissions: + id-token: write contents: write + attestations: write secrets: inherit diff --git a/.github/workflows/cxxbridge-cmd.yml b/.github/workflows/cxxbridge-cmd.yml index b970c77..f94a7e0 100644 --- a/.github/workflows/cxxbridge-cmd.yml +++ b/.github/workflows/cxxbridge-cmd.yml @@ -13,5 +13,7 @@ jobs: crate: cxxbridge-cmd bin: cxxbridge permissions: + id-token: write contents: write + attestations: write secrets: inherit diff --git a/.github/workflows/dircnt.yml b/.github/workflows/dircnt.yml index 03f2a16..ed269b6 100644 --- a/.github/workflows/dircnt.yml +++ b/.github/workflows/dircnt.yml @@ -12,5 +12,7 @@ jobs: with: crate: dircnt permissions: + id-token: write contents: write + attestations: write secrets: inherit diff --git a/.github/workflows/dotslash.yml b/.github/workflows/dotslash.yml index b4dc6c6..29ffba7 100644 --- a/.github/workflows/dotslash.yml +++ b/.github/workflows/dotslash.yml @@ -12,5 +12,7 @@ jobs: with: crate: dotslash permissions: + id-token: write contents: write + attestations: write secrets: inherit diff --git a/.github/workflows/faketty.yml b/.github/workflows/faketty.yml index 1b016e0..927ebc4 100644 --- a/.github/workflows/faketty.yml +++ b/.github/workflows/faketty.yml @@ -12,5 +12,7 @@ jobs: with: crate: faketty permissions: + id-token: write contents: write + attestations: write secrets: inherit diff --git a/.github/workflows/honggfuzz.yml b/.github/workflows/honggfuzz.yml index da1a7e3..a2c6842 100644 --- a/.github/workflows/honggfuzz.yml +++ b/.github/workflows/honggfuzz.yml @@ -13,5 +13,7 @@ jobs: crate: honggfuzz bin: cargo-hfuzz permissions: + id-token: write contents: write + attestations: write secrets: inherit diff --git a/.github/workflows/mdbook.yml b/.github/workflows/mdbook.yml index 12afc99..4e1cfdf 100644 --- a/.github/workflows/mdbook.yml +++ b/.github/workflows/mdbook.yml @@ -12,5 +12,7 @@ jobs: with: crate: mdbook permissions: + id-token: write contents: write + attestations: write secrets: inherit diff --git a/.github/workflows/reindeer.yml b/.github/workflows/reindeer.yml index 765d6d2..c29253c 100644 --- a/.github/workflows/reindeer.yml +++ b/.github/workflows/reindeer.yml @@ -13,5 +13,7 @@ jobs: crate: reindeer git: facebookincubator/reindeer permissions: + id-token: write contents: write + attestations: write secrets: inherit diff --git a/.github/workflows/rustup-toolchain-install-master.yml b/.github/workflows/rustup-toolchain-install-master.yml index a581976..8314214 100644 --- a/.github/workflows/rustup-toolchain-install-master.yml +++ b/.github/workflows/rustup-toolchain-install-master.yml @@ -14,5 +14,7 @@ jobs: git: dtolnay-contrib/rustup-toolchain-install-master ref: nodefault permissions: + id-token: write contents: write + attestations: write secrets: inherit diff --git a/.github/workflows/sha1dir.yml b/.github/workflows/sha1dir.yml index be9c608..afb75bf 100644 --- a/.github/workflows/sha1dir.yml +++ b/.github/workflows/sha1dir.yml @@ -12,5 +12,7 @@ jobs: with: crate: sha1dir permissions: + id-token: write contents: write + attestations: write secrets: inherit diff --git a/.github/workflows/star-history.yml b/.github/workflows/star-history.yml index 7b6831d..b46a66a 100644 --- a/.github/workflows/star-history.yml +++ b/.github/workflows/star-history.yml @@ -12,5 +12,7 @@ jobs: with: crate: star-history permissions: + id-token: write contents: write + attestations: write secrets: inherit diff --git a/.github/workflows/taplo-cli.yml b/.github/workflows/taplo-cli.yml index 027f4f1..8181b42 100644 --- a/.github/workflows/taplo-cli.yml +++ b/.github/workflows/taplo-cli.yml @@ -14,5 +14,7 @@ jobs: bin: taplo locked: true permissions: + id-token: write contents: write + attestations: write secrets: inherit