From ac03928dc97aa09369e6acfd4aa91b8dcb655783 Mon Sep 17 00:00:00 2001 From: martincostello Date: Sat, 11 May 2024 13:58:44 +0100 Subject: [PATCH 1/3] Attest artifacts Attest the binaries from the build artifacts. --- .github/workflows/build.yml | 11 +++++++++++ .github/workflows/lint.yml | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5ac77c28..5c2babd3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -30,6 +30,11 @@ jobs: dotnet-sdk-version: ${{ steps.setup-dotnet.outputs.dotnet-version }} dotnet-validate-version: ${{ steps.get-dotnet-validate-version.outputs.dotnet-validate-version }} + permissions: + attestations: write + contents: read + id-token: write + strategy: fail-fast: false matrix: @@ -62,6 +67,12 @@ jobs: flags: ${{ matrix.os_name }} token: ${{ secrets.CODECOV_TOKEN }} + - name: Attest artifacts + uses: actions/attest-build-provenance@951c0c5f8e375ad4efad33405ab77f7ded2358e4 # v1.1.1 + #if: github.event.repository.fork == false && (github.ref_name == github.event.repository.default_branch || startsWith(github.ref, 'refs/tags/v')) + with: + subject-path: ./artifacts/bin/MartinCostello.Logging.XUnit/release*/*.dll + - name: Publish artifacts uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 924acdc1..f7f1d4f7 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -29,7 +29,7 @@ jobs: - name: Checkout code uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - + - name: Add actionlint problem matcher run: echo "::add-matcher::.github/actionlint-matcher.json" From 986bece92ab76ccfd34748f8506d8b759516b66a Mon Sep 17 00:00:00 2001 From: martincostello Date: Sat, 11 May 2024 13:58:58 +0100 Subject: [PATCH 2/3] Ignore binlog files Ignore any `binlog` files. --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 745b367f..aced40db 100644 --- a/.gitignore +++ b/.gitignore @@ -18,6 +18,7 @@ packages TestResults UpgradeLog*.htm UpgradeLog*.XML +*.binlog *.coverage *.DotSettings *.GhostDoc.xml From 388e51284d4fc131e5f600216d80b33c37e6d776 Mon Sep 17 00:00:00 2001 From: martincostello Date: Sat, 11 May 2024 14:03:06 +0100 Subject: [PATCH 3/3] Enable condition Only attest binaries on Windows builds for default branch and tags. --- .github/workflows/build.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5c2babd3..884b80c2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -69,7 +69,10 @@ jobs: - name: Attest artifacts uses: actions/attest-build-provenance@951c0c5f8e375ad4efad33405ab77f7ded2358e4 # v1.1.1 - #if: github.event.repository.fork == false && (github.ref_name == github.event.repository.default_branch || startsWith(github.ref, 'refs/tags/v')) + if: | + runner.os == 'Windows' && + github.event.repository.fork == false && + (github.ref_name == github.event.repository.default_branch || startsWith(github.ref, 'refs/tags/v')) with: subject-path: ./artifacts/bin/MartinCostello.Logging.XUnit/release*/*.dll