feat: add attestation to installer

Homebrew · Jul 23, 2024 · d6bcdff · d6bcdff
1 parent 6b4e7bb
commit d6bcdff
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/.github/workflows/pkg-installer.yml b/.github/workflows/pkg-installer.yml
@@ -19,6 +19,10 @@ jobs:
   build:
     if: github.repository_owner == 'Homebrew'
     runs-on: macos-latest
+    permissions:
+      contents: read # for code access
+      attestations: write # for actions/attest-build-provenance
+      id-token: write # for actions/attest-build-provenance
     outputs:
       installer_path: "Homebrew-${{ steps.homebrew-version.outputs.version }}.pkg"
     env:
@@ -119,6 +123,11 @@ jobs:
             security delete-keychain "${RUNNER_TEMP}/${TEMPORARY_KEYCHAIN_FILE}"
           fi
 
+      - name: Generate build provenance
+        uses: actions/[email protected]
+        with:
+          subject-path: Homebrew-${{ steps.homebrew-version.outputs.version }}.pkg
+
       - name: Upload installer to GitHub Actions
         uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
         with: