Merge pull request #17827 from Homebrew/SMillerDev-patch-1

feat: add attestation to installer
2024-08-19 11:25:42 -04:00 · 2024-08-19 11:25:42 -04:00 · 2a5eb025f1
commit 2a5eb025f1
parent 21c8b8be08 2e990ce35c
3 changed files with 35 additions and 6 deletions
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@ -23,6 +23,10 @@ jobs:
      fail-fast: false
      matrix:
        version: ["18.04", "20.04", "22.04", "24.04"]
+    permissions:
+      contents: read # for code access
+      attestations: write # for actions/attest-build-provenance
+      id-token: write # for actions/attest-build-provenance
    steps:
      - name: Checkout
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
--- a/.github/workflows/pkg-installer.yml
+++ b/.github/workflows/pkg-installer.yml
@ -19,6 +19,10 @@ jobs:
  build:
    if: github.repository_owner == 'Homebrew' && github.actor != 'dependabot[bot]'
    runs-on: macos-latest
+    permissions:
+      contents: read # for code access
+      attestations: write # for actions/attest-build-provenance
+      id-token: write # for actions/attest-build-provenance
    outputs:
      installer_path: "Homebrew-${{ steps.homebrew-version.outputs.version }}.pkg"
    env:
@ -119,6 +123,11 @@ jobs:
            security delete-keychain "${RUNNER_TEMP}/${TEMPORARY_KEYCHAIN_FILE}"
          fi

+      - name: Generate build provenance
+        uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0 # v1.3.3
+        with:
+          subject-path: Homebrew-${{ steps.homebrew-version.outputs.version }}.pkg
+
      - name: Upload installer to GitHub Actions
        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4
        with:
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@ -241,12 +241,28 @@ jobs:
        run: |
          echo ${{ secrets.HOMEBREW_BREW_GITHUB_PACKAGES_TOKEN }} |
            docker login ghcr.io -u BrewTestBot --password-stdin
-          docker tag brew "ghcr.io/homebrew/ubuntu22.04:master"
-          docker push "ghcr.io/homebrew/ubuntu22.04:master"
+          docker tag brew "ghcr.io/homebrew/ubuntu22.04:${{ github.ref_name }}"
+          docker push "ghcr.io/homebrew/ubuntu22.04:${{ github.ref_name }}"
          echo ${{ secrets.HOMEBREW_BREW_DOCKER_TOKEN }} |
            docker login -u brewtestbot --password-stdin
-          docker tag brew "homebrew/ubuntu22.04:master"
-          docker push "homebrew/ubuntu22.04:master"
+          docker tag brew "homebrew/ubuntu22.04:${{ github.ref_name }}"
+          docker push "homebrew/ubuntu22.04:${{ github.ref_name }}"
+
+      - name: Generate Docker image digest
+        if: github.ref == 'refs/heads/master'
+        id: digest
+        run: |
+          digest="$(docker image inspect --format='{{.Digest}}' brew)"
+          echo "digest=$digest" >> "$GITHUB_OUTPUT"
+
+      - name: Generate Docker image build provenance
+        uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0 # v1.3.3
+        if: github.ref == 'refs/heads/master'
+        id: attest
+        with:
+          push-to-registry: true
+          subject-digest: ${{ steps.digest.outputs.digest }}
+          subject-name: ghcr.io/homebrew/ubuntu22.04:${{ github.ref_name }}

  update-test:
    name: ${{ matrix.name }}