Attestation (#1376)

* try attestation on windows continuous releases.

* add attestation for macos, linux continuous releases.

diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
index 998c82702ca96ddbd0a9e386cab1fc744260f2e8..5954a284554d4d1b33315128b7b2547809148d9a 100644 (file)
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@@ -13,6 +13,10 @@ on:
 jobs:
   macos:
     name: macOS Build
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
@@ -94,6 +98,12 @@ jobs:
         sudo xcode-select --switch /Applications/Xcode_${{ matrix.XCODE_VERSION }}.app
         ./tools/ci_script_osx.sh . ${{ matrix.QT_VERSION }} ${{ matrix.GENERATOR }}
 
+    - name: Generate artifact attestation
+      if: ( github.event_name == 'push' ) && ( github.ref == 'refs/heads/master' ) && matrix.RELEASE
+      uses: actions/attest-build-provenance@v1
+      with:
+        subject-path: 'gui/GPSBabel-*.dmg'
+
     - name: Deploy
       # This only handles continous releases now, for other events artifacts may be saved in
       # the 'Upload Artifacts' step.
@@ -102,7 +112,6 @@ jobs:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         RELEASE_NAME: Continuous-${{ runner.os }}
       run: |
-        echo GITHUB_REF: $GITHUB_REF
         ./tools/uploadtool/upload_github.sh gui/GPSBabel-*.dmg
 
     - name: 'Upload Artifacts'

diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml
index 6f28d773e3885bf031b6d3cf63b6740759055fff..973a12cfdcd33f78860b7a42523c3a35f66629c2 100644 (file)
--- a/.github/workflows/ubuntu.yml
+++ b/.github/workflows/ubuntu.yml
@@ -86,6 +86,10 @@ jobs:
 
   snap:
     name: snap Build
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
     runs-on: ubuntu-latest
     outputs:
       snap-file: ${{ steps.build-snap.outputs.snap }}
@@ -106,6 +110,12 @@ jobs:
         /snap/bin/gpsbabel -D3 || true
         ./testo -p /snap/bin/gpsbabel 
 
+    - name: Generate artifact attestation
+      if: ( github.event_name == 'push' ) && ( github.ref == 'refs/heads/master' )
+      uses: actions/attest-build-provenance@v1
+      with:
+        subject-path: ${{ steps.build-snap.outputs.snap }}
+
     - name: Deploy
       # This only handles continous releases now, for other events artifacts may be saved in
       # the 'Upload Artifacts' step.

diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
index 6b9d5d932792a12d79dda3d12a08bb326907c51e..bac4c141e9b5658d3d015e24b1c36a73b8f7742d 100644 (file)
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -14,6 +14,10 @@ jobs:
 
   windows:
     name: windows Build
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
@@ -98,6 +102,12 @@ jobs:
         PNAME=./bld/gui/package/gpsbabel.exe GBTEMP=./gbtemp ./testo 2>&1
         PNAME=./bld/gui/package/gpsbabel.exe GBTEMP=./gbtemp ./test_encoding_utf8 2>&1
 
+    - name: Generate artifact attestation
+      if: ( github.event_name == 'push' ) && ( github.ref == 'refs/heads/master' ) && matrix.RELEASE
+      uses: actions/attest-build-provenance@v1
+      with:
+        subject-path: 'bld/gui/GPSBabel-*-Setup.exe'
+
     - name: Deploy
       # This only handles continous releases now, for other events artifacts may be saved in
       # the 'Upload Artifacts' step.