ci: Attest release artifacts (#4816)

Co-authored-by: oSumAtrIX <johan.melkonyan1@web.de>
2025-06-12 21:27:38 +02:00 · 2025-05-22 19:56:33 +07:00
parent 6ce739b0d0
commit 48b2e081ad
3 changed files with 23 additions and 16 deletions
--- a/.github/workflows/build_pull_request.yml
+++ b/.github/workflows/build_pull_request.yml
@ -19,11 +19,11 @@ jobs:
      - name: Setup Java
        uses: actions/setup-java@v4
        with:
-          distribution: "temurin"
-          java-version: "17"
+          distribution: 'temurin'
+          java-version: '17'

      - name: Cache Gradle
-        uses: burrunan/gradle-cache-action@v1
+        uses: burrunan/gradle-cache-action@v3

      - name: Build
        env:
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -13,24 +13,23 @@ jobs:
    permissions:
      contents: write
      packages: write
+      id-token: write
+      attestations: write
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
-          # Make sure the release step uses its own credentials:
-          # https://github.com/cycjimmy/semantic-release-action#private-packages
-          persist-credentials: false
          fetch-depth: 0

      - name: Setup Java
        uses: actions/setup-java@v4
        with:
-          distribution: "temurin"
-          java-version: "17"
+          distribution: 'temurin'
+          java-version: '17'

      - name: Cache Gradle
-        uses: burrunan/gradle-cache-action@v1
+        uses: burrunan/gradle-cache-action@v3

      - name: Build
        env:
@ -40,7 +39,7 @@ jobs:
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
-          node-version: "lts/*"
+          node-version: 'lts/*'
          cache: 'npm'

      - name: Install dependencies
@ -54,6 +53,14 @@ jobs:
          fingerprint: ${{ vars.GPG_FINGERPRINT }}

      - name: Release
+        uses: cycjimmy/semantic-release-action@v4
+        id: release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: npm exec semantic-release
+
+      - name: Attest
+        if: steps.release.outputs.new_release_published == 'true'
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: 'ReVanced Patches ${{ steps.release.outputs.new_release_git_tag }}'
+          subject-path: patches/build/libs/patches-*.rvp