Generate artifact attestation

ntkme · ntkme · commit fcb0a2a5342a · 2025-02-14T11:14:33.000-08:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -55,7 +55,7 @@ jobs:
           }
           EOF
           cd dart-sdk/sdk
-          ./tools/sdks/dart-sdk/bin/dart run /tmp/version.dart | tee -a $GITHUB_OUTPUT
+          ./tools/sdks/dart-sdk/bin/dart run /tmp/version.dart | tee -a "$GITHUB_OUTPUT"
 
       - name: Fetch Checked-in Dart SDK
         run: |
@@ -89,6 +89,10 @@ jobs:
 
     runs-on: ubuntu-latest
 
+    permissions:
+      id-token: write
+      attestations: write
+
     container:
       image: docker.io/library/alpine
 
@@ -151,6 +155,11 @@ jobs:
         run: |
           tar -czf dartsdk-linux-${{ matrix.target-arch }}-release.tar.gz -C dart-sdk/sdk/out/Release* -- dart-sdk
 
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: dartsdk-linux-${{ matrix.target-arch }}-release.tar.gz
+
       - name: Upload Artifact
         uses: actions/upload-artifact@v4
         with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,6 +7,9 @@ on:
 
 jobs:
   build:
+    permissions:
+      id-token: write
+      attestations: write
     uses: ./.github/workflows/build.yml
     with:
       ref: ${{ github.ref_name }}
diff --git a/.github/workflows/schedule.yml b/.github/workflows/schedule.yml
@@ -58,6 +58,9 @@ jobs:
   stable:
     needs: [latest]
     if: needs.latest.outputs.stable-cache-hit != 'true'
+    permissions:
+      id-token: write
+      attestations: write
     uses: ./.github/workflows/build.yml
     with:
       ref: ${{ needs.latest.outputs.stable-version }}
@@ -66,6 +69,9 @@ jobs:
   beta:
     needs: [latest]
     if: needs.latest.outputs.beta-cache-hit != 'true' && needs.latest.outputs.beta-version != needs.latest.outputs.stable-version
+    permissions:
+      id-token: write
+      attestations: write
     uses: ./.github/workflows/build.yml
     with:
       ref: ${{ needs.latest.outputs.beta-version }}
@@ -74,13 +80,19 @@ jobs:
   dev:
     needs: [latest]
     if: needs.latest.outputs.dev-cache-hit != 'true' && needs.latest.outputs.dev-version != needs.latest.outputs.beta-version && needs.latest.outputs.dev-version != needs.latest.outputs.stable-version
+    permissions:
+      id-token: write
+      attestations: write
     uses: ./.github/workflows/build.yml
     with:
       ref: ${{ needs.latest.outputs.dev-version }}
     secrets: inherit
 
   edge:
     needs: [latest]
+    permissions:
+      id-token: write
+      attestations: write
     uses: ./.github/workflows/build.yml
     with:
       ref: ${{ needs.latest.outputs.edge-version }}
