Updated to add github attestation to all binaries

andylockran · andylockran · commit 2b8786b8b60d · 2025-09-15T19:37:16.000+01:00
diff --git a/.github/workflows/publish-layer-collector.yml b/.github/workflows/publish-layer-collector.yml
@@ -47,9 +47,14 @@ on:
         description: 'Build tags to customize collector build'
         required: false
         type: string
+      codesigning-profile:
+        description: 'The AWS Signing Profile for the layers'
+        required: false
+        type: string
 
 permissions:
   contents: read
+  attestations: write
 
 jobs:
   prepare-build-jobs:
@@ -89,6 +94,10 @@ jobs:
           fi
           echo "Build tags: $BUILDTAGS"
           make -C collector package GOARCH=${{ matrix.architecture }} BUILDTAGS=$BUILDTAGS
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a  #v3.0.0
+        with:
+          subject-path: ${{ github.workspace }}/collector/build/opentelemetry-collector-layer-${{ matrix.architecture }}.zip
       - name: Upload Collector Artifact
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
diff --git a/.github/workflows/release-layer-collector.yml b/.github/workflows/release-layer-collector.yml
@@ -39,6 +39,12 @@ jobs:
           go-version-file: collector/go.mod
       - name: build
         run: make -C collector package GOARCH=${{ matrix.architecture }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a  #v3.0.0
+        with:
+          subject-path: ${{ github.workspace }}/collector/build/opentelemetry-collector-layer-${{ matrix.architecture }}.zip
+
       - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: opentelemetry-collector-layer-${{ matrix.architecture }}.zip
diff --git a/.github/workflows/release-layer-java.yml b/.github/workflows/release-layer-java.yml
@@ -44,12 +44,21 @@ jobs:
           cd java
           ./gradlew :layer-javaagent:assemble :layer-wrapper:assemble --scan --stacktrace
 
+      - name: Generate artifact attestation for javaagent
+        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a  #v3.0.0
+        with:
+          subject-path: java/layer-javaagent/build/distributions/opentelemetry-javaagent-layer.zip
+      
       - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         name: Save javaagent layer to build
         with:
           name: opentelemetry-javaagent-layer.zip
           path: java/layer-javaagent/build/distributions/opentelemetry-javaagent-layer.zip
 
+      - name: Generate artifact attestation for javawrapper
+        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a  #v3.0.0
+        with:
+          subject-path: java/layer-wrapper/build/distributions/opentelemetry-javawrapper-layer.zip
       - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         name: Save javawrapper layer to build
         with:
diff --git a/.github/workflows/release-layer-nodejs.yml b/.github/workflows/release-layer-nodejs.yml
@@ -51,6 +51,10 @@ jobs:
         run: mv layer.zip opentelemetry-nodejs-layer.zip
         working-directory: nodejs/packages/layer/build
 
+      - name: Generate artifact attestation for nodejs-layer
+        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a  #v3.0.0
+        with:
+          subject-path: nodejs/packages/layer/build/opentelemetry-nodejs-layer.zip
       - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         name: Save assembled layer to build
         with:
diff --git a/.github/workflows/release-layer-python.yml b/.github/workflows/release-layer-python.yml
@@ -57,6 +57,11 @@ jobs:
         run: |
           ls -al
         working-directory: python/src/build
+    
+      - name: Generate artifact attestation for python-layer
+        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a  #v3.0.0
+        with:
+          subject-path: python/src/build/opentelemetry-python-layer.zip
 
       - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         name: Save assembled layer to build
diff --git a/.github/workflows/release-layer-ruby.yml b/.github/workflows/release-layer-ruby.yml
@@ -50,6 +50,11 @@ jobs:
           ls -al
         working-directory: ruby/src/build
 
+
+      - name: Generate artifact attestation for ruby-layer  
+        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a  #v3.0.0
+        with:
+          subject-path: ruby/src/build/opentelemetry-ruby-layer.zip
       - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         name: Save assembled layer to build
         with:
