From d6bcdffe97a9a0f0e4cf21fda9c4b19e004dac60 Mon Sep 17 00:00:00 2001
From: Sean Molenaar <SMillerDev@users.noreply.github.com>
Date: Tue, 23 Jul 2024 14:46:15 +0200
Subject: [PATCH] feat: add attestation to installer

---
 .github/workflows/pkg-installer.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.github/workflows/pkg-installer.yml b/.github/workflows/pkg-installer.yml
index 5abe7152c9..e517243016 100644
--- a/.github/workflows/pkg-installer.yml
+++ b/.github/workflows/pkg-installer.yml
@@ -19,6 +19,10 @@ jobs:
   build:
     if: github.repository_owner == 'Homebrew'
     runs-on: macos-latest
+    permissions:
+      contents: read # for code access
+      attestations: write # for actions/attest-build-provenance
+      id-token: write # for actions/attest-build-provenance
     outputs:
       installer_path: "Homebrew-${{ steps.homebrew-version.outputs.version }}.pkg"
     env:
@@ -119,6 +123,11 @@ jobs:
             security delete-keychain "${RUNNER_TEMP}/${TEMPORARY_KEYCHAIN_FILE}"
           fi
 
+      - name: Generate build provenance
+        uses: actions/attest-build-provenance@v1.3.3
+        with:
+          subject-path: Homebrew-${{ steps.homebrew-version.outputs.version }}.pkg
+
       - name: Upload installer to GitHub Actions
         uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
         with: