From 8eae9ee7300d540ac402410dff2c2594bd06999a Mon Sep 17 00:00:00 2001
From: Sean Molenaar <smillerdev@me.com>
Date: Sat, 12 Oct 2024 12:24:14 +0200
Subject: [PATCH 1/2] feat: add attestation to the pkg installer

---
 .github/workflows/pkg-installer.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.github/workflows/pkg-installer.yml b/.github/workflows/pkg-installer.yml
index ac47f264bafac..c1ce3ce9c0070 100644
--- a/.github/workflows/pkg-installer.yml
+++ b/.github/workflows/pkg-installer.yml
@@ -11,6 +11,10 @@ on:
   release:
     types:
       - published
+permissions:
+  contents: read # for code access
+  attestations: write # for actions/attest-build-provenance
+  id-token: write # for actions/attest-build-provenance
 env:
   PKG_APPLE_DEVELOPER_TEAM_ID: ${{ secrets.PKG_APPLE_DEVELOPER_TEAM_ID }}
   HOMEBREW_NO_ANALYTICS_THIS_RUN: 1
@@ -124,6 +128,11 @@ jobs:
             security delete-keychain "${RUNNER_TEMP}/${TEMPORARY_KEYCHAIN_FILE}"
           fi
 
+      - name: Generate build provenance
+        uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0 # v1.3.3
+        with:
+          subject-path: Homebrew-${{ steps.homebrew-version.outputs.version }}.pkg
+
       - name: Upload installer to GitHub Actions
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
         with:

From 78573231af4c2de3f194369be0ca8406524d3a8d Mon Sep 17 00:00:00 2001
From: Sean Molenaar <SMillerDev@users.noreply.github.com>
Date: Sun, 13 Oct 2024 15:49:59 +0200
Subject: [PATCH 2/2] fix: only scope permissions to build job

---
 .github/workflows/pkg-installer.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/pkg-installer.yml b/.github/workflows/pkg-installer.yml
index c1ce3ce9c0070..15aff146a6e41 100644
--- a/.github/workflows/pkg-installer.yml
+++ b/.github/workflows/pkg-installer.yml
@@ -11,10 +11,6 @@ on:
   release:
     types:
       - published
-permissions:
-  contents: read # for code access
-  attestations: write # for actions/attest-build-provenance
-  id-token: write # for actions/attest-build-provenance
 env:
   PKG_APPLE_DEVELOPER_TEAM_ID: ${{ secrets.PKG_APPLE_DEVELOPER_TEAM_ID }}
   HOMEBREW_NO_ANALYTICS_THIS_RUN: 1
@@ -35,6 +31,10 @@ jobs:
       TEMPORARY_KEYCHAIN_FILE: 'homebrew_installer_signing.keychain-db'
       # Set to the oldest supported version of macOS
       HOMEBREW_MACOS_OLDEST_SUPPORTED: '13.0'
+    permissions:
+      contents: read # for code access
+      attestations: write # for actions/attest-build-provenance
+      id-token: write # for actions/attest-build-provenance
     steps:
       - name: Remove existing API cache (to force update)
         run: rm -rvf ~/Library/Caches/Homebrew/api