Attest build provenance of artifacts

Author: hugovk

README.md

@@ -95,6 +95,11 @@ While *build-and-inspect-python-package* will build a wheel for you by default,
 
   Use this if you want to build multiple packages in one workflow.
   (*optional*, default: `''`).
+- `attest-build-provenance`: Whether to generate signed build provenance attestations for workflow artifacts using
+  [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance).
+  Requires `attestations: write` and `id-token: write` permissions.
+  The only meaningful value is `'true'` (note the quotes – GitHub Actions only allow string inputs) and everything else is treated as falsey.
+  (*optional*, default: `'false'`).
 
 
 ### Outputs

action.yml

@@ -19,6 +19,10 @@ inputs:
     description: Suffix to append to the artifact names.
     required: false
     default: ""
+  attest-build-provenance:
+    description: "Suffix to append to the artifact names. Requires 'attestations: write' and 'id-token: write' permissions."
+    required: false
+    default: 'false'
 outputs:
   dist:
     description: The location of the built packages.
@@ -102,6 +106,12 @@ runs:
       shell: bash
       working-directory: ${{ inputs.path }}
 
+    - name: Attest build provenance
+      if: ${{ inputs.attest-build-provenance == 'true' }}
+      uses: actions/attest-build-provenance@v1
+      with:
+        subject-path: "/tmp/baipp/dist/*"
+
     - name: Set output
       id: dist-location-setter
       shell: bash