From 167608c7c7f852e9759a27fcf9eb892bd1704b80 Mon Sep 17 00:00:00 2001 From: pasta Date: Tue, 22 Oct 2024 10:24:37 -0500 Subject: [PATCH] Merge #6338: ci: attest results of guix builds cd712e86b7ea11fe3c5ce13107beec089514911c ci: attest results of guix builds (pasta) Pull request description: ## Issue being fixed or feature implemented This simply adds attestations to guix results by GitHub. This way, not only can someone verify that all us developers agree, but also that GitHub hosted runners agree :) ## What was done? Add actions/attest-build-provenance to guix-build CI ## How Has This Been Tested? see: https://github.com/PastaPastaPasta/dash/actions/runs/11239755631 ## Breaking Changes None ## Checklist: _Go over all the following points, and put an `x` in all the boxes that apply._ - [x] I have performed a self-review of my own code - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have added or updated relevant unit/integration/functional/e2e tests - [ ] I have made corresponding changes to the documentation - [x] I have assigned this pull request to a milestone _(for repository code-owners and collaborators only)_ ACKs for top commit: UdjinM6: utACK cd712e86b7ea11fe3c5ce13107beec089514911c Tree-SHA512: b590ee2cf29aa57f78cb68c22d5327e8c9272d63d523c3b64fbbdffabb90981a6b6505c5f511bde19310ea1d8c96fc6d181359a7d7a0672612473110cbe079ef --- .github/workflows/guix-build.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/guix-build.yml b/.github/workflows/guix-build.yml index 8d1dd36219..e6435e7efc 100644 --- a/.github/workflows/guix-build.yml +++ b/.github/workflows/guix-build.yml @@ -2,6 +2,8 @@ name: Guix Build permissions: packages: write + id-token: write + attestations: write on: pull_request_target: @@ -127,3 +129,7 @@ jobs: path: | ${{ github.workspace }}/dash/guix-build*/output/${{ matrix.build_target }}/ + - name: Attest build provenance + uses: actions/attest-build-provenance@v1 + with: + subject-path: ${{ github.workspace }}/dash/guix-build*/output/${{ matrix.build_target }}/*