From 94e92b8edfab0c63c10a2d7403809a7e980cfacc Mon Sep 17 00:00:00 2001 From: deepend-tildeclub <58404188+deepend-tildeclub@users.noreply.github.com> Date: Fri, 16 Jan 2026 21:36:10 -0700 Subject: [PATCH] Update Windows build workflow with permissions and attestations Added permissions for artifact handling and attestation. --- .github/workflows/windows-build.yml | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/.github/workflows/windows-build.yml b/.github/workflows/windows-build.yml index 63970658..0e835b16 100644 --- a/.github/workflows/windows-build.yml +++ b/.github/workflows/windows-build.yml @@ -11,6 +11,13 @@ on: jobs: windows_build: runs-on: windows-2019 + + permissions: + contents: read + id-token: write + attestations: write + artifact-metadata: write + strategy: matrix: platform: [x64, win32] @@ -90,12 +97,30 @@ jobs: move ..\zoitechat-build .\ shell: cmd - - uses: actions/upload-artifact@v4 + - name: Upload Installer + id: upload_installer + uses: actions/upload-artifact@v4 with: name: Installer ${{ matrix.arch }} path: ZoiteChat*.exe - - uses: actions/upload-artifact@v4 + - name: Attest Installer (Artifact Attestation) + if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }} + uses: actions/attest-build-provenance@v3 + with: + subject-name: Installer ${{ matrix.arch }} + subject-digest: sha256:${{ steps.upload_installer.outputs.artifact-digest }} + + - name: Upload Build Files + id: upload_buildfiles + uses: actions/upload-artifact@v4 with: name: Build Files ${{ matrix.arch }} path: zoitechat-build + + - name: Attest Build Files (Artifact Attestation) + if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }} + uses: actions/attest-build-provenance@v3 + with: + subject-name: Build Files ${{ matrix.arch }} + subject-digest: sha256:${{ steps.upload_buildfiles.outputs.artifact-digest }}