Attest build provenance of artifacts (#81)

hugovk · web-flow · commit 66f64e893314 · 2024-06-24T05:21:40.000-06:00
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -14,6 +14,9 @@ on:
 permissions:
   contents: read
 
+env:
+  FORCE_COLOR: 1
+
 jobs:
   # Always build & lint package.
   build-package:
@@ -38,6 +41,7 @@ jobs:
     needs: build-package
 
     permissions:
+      attestations: write
       id-token: write
 
     steps:
@@ -47,6 +51,11 @@ jobs:
           name: Packages
           path: dist
 
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: "dist/*"
+
       - name: Upload package to Test PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
@@ -62,6 +71,7 @@ jobs:
     needs: build-package
 
     permissions:
+      attestations: write
       id-token: write
 
     steps:
@@ -71,5 +81,10 @@ jobs:
           name: Packages
           path: dist
 
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: "dist/*"
+
       - name: Upload package to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
