From 51b5032ec09372019b16a9a06194db42f634d7ec Mon Sep 17 00:00:00 2001
From: Rafael Oliveira <rafdev.x@gmail.com>
Date: Sat, 26 Oct 2024 21:55:57 +0200
Subject: [PATCH] chore: Attest release artifacts with sigstore/cosign (#6016)

This ensures all builds are verifiable by https://www.sigstore.dev/.

Co-authored-by: ludvigch <ludvigch@kth.se>
---
 .github/workflows/jreleaser.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.github/workflows/jreleaser.yml b/.github/workflows/jreleaser.yml
index ed7612e61aa..a7d1e1475b7 100644
--- a/.github/workflows/jreleaser.yml
+++ b/.github/workflows/jreleaser.yml
@@ -7,6 +7,10 @@ on:
         required: true
         type: string
 
+permissions:
+  id-token: write # for verifying identity in attestation process
+  attestations: write # to push attestation
+
 jobs:
   jreleaser:
     runs-on: ubuntu-latest
@@ -29,6 +33,11 @@ jobs:
           JRELEASER_NEXUS2_MAVEN_CENTRAL_USERNAME: ${{ secrets.JRELEASER_NEXUS2_MAVEN_CENTRAL_USERNAME }}
           JRELEASER_NEXUS2_MAVEN_CENTRAL_PASSWORD: ${{ secrets.JRELEASER_NEXUS2_MAVEN_CENTRAL_PASSWORD }}
 
+      - name: Sign artifacts with sigstore/cosign
+        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
+        with:
+          subject-path: './target/staging-deploy/**/*.jar'
+
         # Log failures
       - name: JReleaser release output
         if: always()