From 00d3600881d321ee02bc03413caf68a5b55f5a94 Mon Sep 17 00:00:00 2001 From: Jay Lee Date: Mon, 6 May 2024 09:35:49 -0400 Subject: [PATCH] actions: GH Attestation for GAM executables and packages https://github.blog/changelog/2024-05-02-artifact-attestations-public-beta/ attest that GAM was built on GitHub actions to help end users validate they're running a legit GAM binary. --- .github/workflows/build.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b408cde1..1d54c77f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -9,6 +9,7 @@ on: permissions: contents: read id-token: write + attestations: write defaults: run: @@ -546,6 +547,9 @@ jobs: export gam="${gampath}/gam" echo "gampath=${gampath}" >> $GITHUB_ENV echo "gam=${gam}" >> $GITHUB_ENV + if [[ "${RUNNER_OS}" == "Windows" ]]; then + gam=$(cygpath -w "$gam") + fi echo -e "GAM: ${gam}\nGAMPATH: ${gampath}" # TEMP force everything back to one file. export PYINSTALLER_BUILD_ONEFILE="yes" @@ -596,6 +600,12 @@ jobs: echo "GAM Version ${GAMVERSION}" echo "GAMVERSION=${GAMVERSION}" >> $GITHUB_ENV + - name: Attest Binary Provenance + uses: actions/attest-build-provenance@v1 + if: matrix.goal == 'build' + with: + subject-path: ${{ env.gam }} + - name: Linux/MacOS package if: runner.os != 'Windows' && matrix.goal == 'build' run: | @@ -852,6 +862,15 @@ jobs: fi tar cJvvf cache.tar.xz $tar_folders + - name: Attest Build Archive Provenance + uses: actions/attest-build-provenance@v1 + if: (github.event_name == 'push' || github.event_name == 'schedule') && matrix.goal == 'build' + with: + subject-path: | + gam*.tar.xz + gam*.zip + gam*.msi + - name: Archive production artifacts uses: actions/upload-artifact@v4 if: (github.event_name == 'push' || github.event_name == 'schedule') && matrix.goal != 'test'