diff --git a/.github/workflows/appimage-build.yml b/.github/workflows/appimage-build.yml index 32c9c31f..fd5b452d 100644 --- a/.github/workflows/appimage-build.yml +++ b/.github/workflows/appimage-build.yml @@ -10,6 +10,12 @@ jobs: appimage_build: runs-on: ubuntu-24.04 + permissions: + contents: read + id-token: write + attestations: write + artifact-metadata: write + steps: - uses: actions/checkout@v4 with: @@ -113,6 +119,12 @@ jobs: appimage_path="$(ls -1 *.AppImage | grep -v linuxdeploy | head -n 1)" mv "$appimage_path" "Zoitechat-${VERSION}-x86_64.AppImage" + - name: Attest AppImage (Build Provenance) + if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }} + uses: actions/attest-build-provenance@v3 + with: + subject-path: Zoitechat-*-x86_64.AppImage + - name: Upload AppImage artifact uses: actions/upload-artifact@v4 with: diff --git a/.github/workflows/flatpak-build.yml b/.github/workflows/flatpak-build.yml index 9447ef60..3362592a 100644 --- a/.github/workflows/flatpak-build.yml +++ b/.github/workflows/flatpak-build.yml @@ -9,6 +9,13 @@ on: jobs: flatpak_build: runs-on: ubuntu-latest + + permissions: + contents: read + id-token: write + attestations: write + artifact-metadata: write + container: image: ghcr.io/flathub-infra/flatpak-github-actions:gnome-49 options: --privileged @@ -18,8 +25,23 @@ jobs: with: submodules: true - - uses: flatpak/flatpak-github-actions/flatpak-builder@v6 + - name: Build Flatpak + id: flatpak_builder + uses: flatpak/flatpak-github-actions/flatpak-builder@v6 with: bundle: zoitechat.flatpak manifest-path: flatpak/net.zoite.Zoitechat.json cache-key: flatpak-builder-${{ github.sha }} + + - name: Upload Flatpak Bundle + id: upload_flatpak + uses: actions/upload-artifact@v4 + with: + name: zoitechat.flatpak + path: zoitechat.flatpak + + - name: Attest Flatpak Bundle (Build Provenance) + if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }} + uses: actions/attest-build-provenance@v3 + with: + subject-path: zoitechat.flatpak diff --git a/.github/workflows/windows-build.yml b/.github/workflows/windows-build.yml index 63970658..0e835b16 100644 --- a/.github/workflows/windows-build.yml +++ b/.github/workflows/windows-build.yml @@ -11,6 +11,13 @@ on: jobs: windows_build: runs-on: windows-2019 + + permissions: + contents: read + id-token: write + attestations: write + artifact-metadata: write + strategy: matrix: platform: [x64, win32] @@ -90,12 +97,30 @@ jobs: move ..\zoitechat-build .\ shell: cmd - - uses: actions/upload-artifact@v4 + - name: Upload Installer + id: upload_installer + uses: actions/upload-artifact@v4 with: name: Installer ${{ matrix.arch }} path: ZoiteChat*.exe - - uses: actions/upload-artifact@v4 + - name: Attest Installer (Artifact Attestation) + if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }} + uses: actions/attest-build-provenance@v3 + with: + subject-name: Installer ${{ matrix.arch }} + subject-digest: sha256:${{ steps.upload_installer.outputs.artifact-digest }} + + - name: Upload Build Files + id: upload_buildfiles + uses: actions/upload-artifact@v4 with: name: Build Files ${{ matrix.arch }} path: zoitechat-build + + - name: Attest Build Files (Artifact Attestation) + if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }} + uses: actions/attest-build-provenance@v3 + with: + subject-name: Build Files ${{ matrix.arch }} + subject-digest: sha256:${{ steps.upload_buildfiles.outputs.artifact-digest }}