Attest build provenance

hugovk · hugovk · commit 50f552061d0f · 2024-05-02T20:26:27.000+03:00
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -38,6 +38,7 @@ jobs:
     needs: build-package
 
     permissions:
+      attestations: write
       id-token: write
 
     steps:
@@ -47,6 +48,11 @@ jobs:
           name: Packages
           path: dist
 
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: "dist/*"
+
       - name: Upload package to Test PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
@@ -62,6 +68,7 @@ jobs:
     needs: build-package
 
     permissions:
+      attestations: write
       id-token: write
 
     steps:
@@ -71,5 +78,10 @@ jobs:
           name: Packages
           path: dist
 
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: "dist/*"
+
       - name: Upload package to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
