enable attestation for daily builds

vszakats · vszakats · commit 8322b8cfe29a · 2025-05-08T20:19:21.000+02:00
diff --git a/.github/workflows/daily.yml b/.github/workflows/daily.yml
@@ -22,6 +22,9 @@ jobs:
     if: ${{ github.repository_owner == 'curl' }}
     runs-on: 'ubuntu-latest'
     timeout-minutes: 30
+    permissions:
+      id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
@@ -48,6 +51,9 @@ jobs:
 
       - name: 'list dependencies'
         run: cat urls.txt *-version-*.txt || true
+      - uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2
+        with:
+          subject-path: 'curl-*-*-*/curl*, *-*-linux*.*, urls.txt'
       - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
         with:
           name: 'curl-linux-glibc-daily-tool'
@@ -65,6 +71,9 @@ jobs:
     if: ${{ github.repository_owner == 'curl' }}
     runs-on: 'ubuntu-latest'
     timeout-minutes: 30
+    permissions:
+      id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
@@ -89,6 +98,9 @@ jobs:
 
       - name: 'list dependencies'
         run: cat urls.txt *-version-*.txt || true
+      - uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2
+        with:
+          subject-path: 'curl-*-*-*/curl*, *-*-linux*.*, urls.txt'
       - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
         with:
           name: 'curl-linux-musl-daily-tool'
@@ -106,6 +118,9 @@ jobs:
     if: ${{ github.repository_owner == 'curl' }}
     runs-on: 'macos-latest'
     timeout-minutes: 30
+    permissions:
+      id-token: write
+      attestations: write
     env:
       CW_JOBS: '4'
     steps:
@@ -123,6 +138,9 @@ jobs:
 
       - name: 'list dependencies'
         run: cat urls.txt *-version-*.txt || true
+      - uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2
+        with:
+          subject-path: 'curl-*-universal-*/curl*, *-*-macos*.*, urls.txt'
       - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
         with:
           name: 'curl-macos-universal-daily-tool'
@@ -140,6 +158,9 @@ jobs:
     if: ${{ github.repository_owner == 'curl' }}
     runs-on: 'ubuntu-latest'
     timeout-minutes: 30
+    permissions:
+      id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
@@ -172,6 +193,9 @@ jobs:
           name: 'curl-windows-daily-tool'
           retention-days: 42
           path: curl-*-*-*/curl*
+      - uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2
+        with:
+          subject-path: '*-*-mingw*.*, urls.txt'
       - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
         with:
           name: 'curl-windows-daily'
