From 22226abcce4458757f5fc21329af659f53c995e8 Mon Sep 17 00:00:00 2001
From: Katherine Kiefer <sterlite2902@gmail.com>
Date: Sat, 9 Nov 2024 23:03:06 +1100
Subject: [PATCH] attestations

---
 .github/workflows/release.yml | 31 ++++++++++++++++++++-----------
 1 file changed, 20 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e28d8e7d..0fe2671f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,5 +1,9 @@
 name: Build Release
 
+permissions:
+    id-token: write
+    attestations: write
+
 on:
     release:
         types: [published]
@@ -59,11 +63,6 @@ jobs:
                   args: --target i686-unknown-linux-gnu --release --features katmos
               if: matrix.os == 'ubuntu-20.04'
 
-            - name: Write checksum to a file
-              shell: bash
-              run: |
-                  sha256sum "target/${{ matrix.target_name }}/release/${{ matrix.artifact_name }}" | tee ${{ matrix.artifact_name }}.sha256
-
             - name: Create bindings (Ubuntu)
               uses: actions-rs/cargo@v1
               with:
@@ -72,13 +71,22 @@ jobs:
                   args: --target i686-unknown-linux-gnu --release --features katmos --package auxmos --lib -- generate_binds --exact --show-output
               if: matrix.os == 'ubuntu-20.04'
 
-            - name: Upload checksum files to release
-              uses: svenstaro/upload-release-action@v1-release
+            - name: Generate build provenance (Binaries)
+              uses: actions/attest-build-provenance@v1
               with:
-                  repo_token: ${{ secrets.GITHUB_TOKEN }}
-                  file: ${{ matrix.artifact_name }}.sha256
-                  asset_name: ${{ matrix.artifact_name }}.sha256
-                  tag: ${{ github.ref }}
+                  subject-path: target/${{ matrix.target_name }}/release/${{ matrix.artifact_name }}
+
+            - name: Generate build provenance (Debug information)
+              uses: actions/attest-build-provenance@v1
+              with:
+                  subject-path: target/${{ matrix.target_name }}/release/${{ matrix.debug_pdb_name }}
+              if: matrix.os == 'windows-latest'
+
+            - name: Generate build provenance (Bindings)
+              uses: actions/attest-build-provenance@v1
+              with:
+                  subject-path: bindings.dm
+              if: matrix.os == 'ubuntu-20.04'
 
             - name: Upload binary to release
               uses: svenstaro/upload-release-action@v1-release
@@ -104,3 +112,4 @@ jobs:
                   file: bindings.dm
                   asset_name: bindings.dm
                   tag: ${{ github.ref }}
+              if: matrix.os == 'ubuntu-20.04'