From 19fbceec93c62be0e5a444b25d1ada738def21ca Mon Sep 17 00:00:00 2001
From: deepend-tildeclub <58404188+deepend-tildeclub@users.noreply.github.com>
Date: Fri, 16 Jan 2026 23:45:13 -0700
Subject: [PATCH] Add permissions for AppImage build workflow

---
 .github/workflows/appimage-build.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.github/workflows/appimage-build.yml b/.github/workflows/appimage-build.yml
index a5382715..a8897ce6 100644
--- a/.github/workflows/appimage-build.yml
+++ b/.github/workflows/appimage-build.yml
@@ -10,6 +10,12 @@ jobs:
   appimage_build:
     runs-on: ubuntu-24.04
 
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
+      artifact-metadata: write
+
     steps:
       - uses: actions/checkout@v4
         with:
@@ -114,6 +120,12 @@ jobs:
           appimage_path="$(ls -1 *.AppImage | grep -v linuxdeploy | head -n 1)"
           mv "$appimage_path" "Zoitechat-${VERSION}-x86_64.AppImage"
 
+      - name: Attest AppImage (Build Provenance)
+        if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-path: Zoitechat-*-x86_64.AppImage
+
       - name: Upload AppImage artifact
         uses: actions/upload-artifact@v4
         with: