Update Windows build workflow with permissions and attestations

Added permissions for artifact handling and attestation.
2026-03-10 07:50:19 +00:00 · 2026-01-16 21:36:10 -07:00
parent 93cd47de5c
commit 94e92b8edf
1 changed files with 27 additions and 2 deletions
--- a/.github/workflows/windows-build.yml
+++ b/.github/workflows/windows-build.yml
@@ -11,6 +11,13 @@ on:
 jobs:
  windows_build:
    runs-on: windows-2019
+
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
+      artifact-metadata: write
+
    strategy:
      matrix:
        platform: [x64, win32]
@@ -90,12 +97,30 @@ jobs:
          move ..\zoitechat-build .\
        shell: cmd

-      - uses: actions/upload-artifact@v4
+      - name: Upload Installer
+        id: upload_installer
+        uses: actions/upload-artifact@v4
        with:
          name: Installer ${{ matrix.arch }}
          path: ZoiteChat*.exe

-      - uses: actions/upload-artifact@v4
+      - name: Attest Installer (Artifact Attestation)
+        if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-name: Installer ${{ matrix.arch }}
+          subject-digest: sha256:${{ steps.upload_installer.outputs.artifact-digest }}
+
+      - name: Upload Build Files
+        id: upload_buildfiles
+        uses: actions/upload-artifact@v4
        with:
          name: Build Files ${{ matrix.arch }}
          path: zoitechat-build
+
+      - name: Attest Build Files (Artifact Attestation)
+        if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-name: Build Files ${{ matrix.arch }}
+          subject-digest: sha256:${{ steps.upload_buildfiles.outputs.artifact-digest }}