From ccc6580652f780ac7c6ba706cbc98bb00db5525c Mon Sep 17 00:00:00 2001
From: deepend-tildeclub <58404188+deepend-tildeclub@users.noreply.github.com>
Date: Fri, 16 Jan 2026 22:57:03 -0700
Subject: [PATCH] Enhance Flatpak build workflow with permissions and steps

Added permissions for contents, id-token, attestations, and artifact-metadata. Included steps for uploading and attesting the Flatpak bundle.
---
 .github/workflows/flatpak-build.yml | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/flatpak-build.yml b/.github/workflows/flatpak-build.yml
index 9447ef60..3362592a 100644
--- a/.github/workflows/flatpak-build.yml
+++ b/.github/workflows/flatpak-build.yml
@@ -9,6 +9,13 @@ on:
 jobs:
   flatpak_build:
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
+      artifact-metadata: write
+
     container:
       image: ghcr.io/flathub-infra/flatpak-github-actions:gnome-49
       options: --privileged
@@ -18,8 +25,23 @@ jobs:
         with:
           submodules: true
 
-      - uses: flatpak/flatpak-github-actions/flatpak-builder@v6
+      - name: Build Flatpak
+        id: flatpak_builder
+        uses: flatpak/flatpak-github-actions/flatpak-builder@v6
         with:
           bundle: zoitechat.flatpak
           manifest-path: flatpak/net.zoite.Zoitechat.json
           cache-key: flatpak-builder-${{ github.sha }}
+
+      - name: Upload Flatpak Bundle
+        id: upload_flatpak
+        uses: actions/upload-artifact@v4
+        with:
+          name: zoitechat.flatpak
+          path: zoitechat.flatpak
+
+      - name: Attest Flatpak Bundle (Build Provenance)
+        if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-path: zoitechat.flatpak