Attest contents of NuGet packages (#6)

Smaug123 · Jun 17, 2024 · aaaede0 · aaaede0
1 parent 94a9c53
commit aaaede0
Showing 1 changed file with 20 additions and 1 deletion.
diff --git a/.github/workflows/dotnet.yaml b/.github/workflows/dotnet.yaml
@@ -184,10 +184,29 @@ jobs:
  steps:
  - run: echo "All required checks complete."
 
+ attestation:
+ runs-on: ubuntu-latest
+ needs: [all-required-checks-complete]
+ if: ${{ !github.event.repository.fork && github.ref == 'refs/heads/main' }}
+ permissions:
+ id-token: write
+ attestations: write
+ contents: read
+ steps:
+ - name: Download NuGet artifact
+ uses: actions/download-artifact@v4
+ with:
+ name: nuget-package
+ path: packed
+ - name: Attest Build Provenance
+ uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0
+ with:
+ subject-path: "packed/WoofWare.DotnetRuntimeLocator.*.nupkg"
+
  nuget-publish:
  runs-on: ubuntu-latest
  if: ${{ !github.event.repository.fork && github.ref == 'refs/heads/main' }}
- needs: [all-required-checks-complete]
+ needs: [attestation]
  environment: main-deploy
  steps:
  - uses: actions/checkout@v4