1414 permissions :
1515 contents : write
1616 actions : write
17+ id-token : write
18+ attestations : write
1719 steps :
1820 - uses : actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
1921 with :
@@ -34,12 +36,30 @@ jobs:
3436 run : echo "name=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT
3537 - name : Release
3638 id : release
37- uses : google-github-actions /release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee # v4.1.1
39+ uses : googleapis /release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3
3840 with :
3941 target-branch : ${{ steps.branch.outputs.name }}
4042 release-type : terraform-module
4143 token : ${{ steps.token.outputs.token }}
42- - name : Upload Release Asset
44+ - name : Attest
45+ id : attest
46+ uses : actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
47+ with :
48+ subject-path : ' ${{ github.workspace }}/lambdas/functions/**/*.zip'
49+ - name : ouptut attestation
50+ run : |
51+ echo "Attestation bundle: ${{ steps.attest.outputs.bundle-path }}"
52+ echo "Attestation id: ${{ steps.attest.outputs.attestation-id }}"
53+ echo "Attestation url: ${{ steps.attest.outputs.attestation-url }}"
54+ name : Update release notes with attestation
55+ if : github.event_name == 'workflow_dispatch'
56+ run : |
57+ gh release view ${{ github.event.inputs.version }} --json body -q '.body' > new-release-notes.md
58+ echo "## Attestation" >> new-release-notes.md
59+ echo "Attestation url: ${{ steps.attest.outputs.attestation-url }}" >> new-release-notes.md
60+ echo "You can verify the artifacts by running \`gh attest verify <name of artifact> --repo npalm/atterstation-test\`" >> new-release-notes.md
61+ gh release edit ${{ github.event.inputs.version }} -F new-release-notes.md -t ${{ github.event.inputs.version }}
62+ name : Upload Release Assets
4363 if : ${{ steps.release.outputs.releases_created == 'true' }}
4464 env :
4565 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
0 commit comments