Attest the extension artifacts provenance

filips123 · Oct 8, 2024 · 17b0f3f · 17b0f3f
1 parent 6fd5dac
commit 17b0f3f
Showing 1 changed file with 21 additions and 1 deletion.
diff --git a/.github/workflows/extension.yaml b/.github/workflows/extension.yaml
@@ -24,6 +24,9 @@ jobs:
     name: Lint
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -52,6 +55,11 @@ jobs:
     name: Build
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+      attestations: write
+      id-token: write
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -84,9 +92,15 @@ jobs:
         uses: actions/upload-artifact@v4
         with:
           name: firefoxpwa-extension-source
-          path: extension/dist/firefoxpwa-${{ env.VERSION }}-source.zip
+          path: extension/dist/firefoxpwa-*-source.zip
           compression-level: 0
 
+      - name: Attest the extension source
+        if: startsWith(github.ref, 'refs/tags/v')
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: extension/dist/firefoxpwa-*-source.zip
+
       - name: Install Node.js
         uses: actions/setup-node@v4
         with:
@@ -105,6 +119,12 @@ jobs:
           path: extension/dist/firefoxpwa-*-compiled.zip
           compression-level: 0
 
+      - name: Attest the compiled extension
+        if: startsWith(github.ref, 'refs/tags/v')
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: extension/dist/firefoxpwa-*-compiled.zip
+
   # Add auto-publishing to AMO once web-ext supports submitting extensions from ZIP files
   # This also includes uploading source code and AMO release notes
   # See: https://github.com/mozilla/web-ext/issues/3242