Homebrew · SMillerDev · Aug 19, 2024 · Jul 23, 2024 · Jul 23, 2024 · Jul 23, 2024
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -23,6 +23,10 @@ jobs:
  fail-fast: false
  matrix:
  version: ["18.04", "20.04", "22.04", "24.04"]
+ permissions:
+ contents: read # for code access
+ attestations: write # for actions/attest-build-provenance
+ id-token: write # for actions/attest-build-provenance
  steps:
  - name: Checkout
  uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4

diff --git a/.github/workflows/pkg-installer.yml b/.github/workflows/pkg-installer.yml
@@ -19,6 +19,10 @@ jobs:
  build:
  if: github.repository_owner == 'Homebrew'
  runs-on: macos-latest
+ permissions:
+ contents: read # for code access
+ attestations: write # for actions/attest-build-provenance
+ id-token: write # for actions/attest-build-provenance
  outputs:
  installer_path: "Homebrew-${{ steps.homebrew-version.outputs.version }}.pkg"
  env:
@@ -119,6 +123,11 @@ jobs:
  security delete-keychain "${RUNNER_TEMP}/${TEMPORARY_KEYCHAIN_FILE}"
  fi
 
+ - name: Generate build provenance
+ uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0 # v1.3.3
+ with:
+ subject-path: Homebrew-${{ steps.homebrew-version.outputs.version }}.pkg
+
  - name: Upload installer to GitHub Actions
  uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
  with:

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -239,14 +239,30 @@ jobs:
  - name: Deploy the Docker image to GitHub Packages and Docker Hub
  if: github.ref == 'refs/heads/master'
  run: |
- echo ${{secrets.HOMEBREW_BREW_GITHUB_PACKAGES_TOKEN}} |
+ echo ${{ secrets.HOMEBREW_BREW_GITHUB_PACKAGES_TOKEN }} |
  docker login ghcr.io -u BrewTestBot --password-stdin
- docker tag brew "ghcr.io/homebrew/ubuntu22.04:master"
- docker push "ghcr.io/homebrew/ubuntu22.04:master"
- echo ${{secrets.HOMEBREW_BREW_DOCKER_TOKEN}} |
+ docker tag brew "ghcr.io/homebrew/ubuntu22.04:${{ github.ref_name }}"
+ docker push "ghcr.io/homebrew/ubuntu22.04:${{ github.ref_name }}"
+ echo ${{ secrets.HOMEBREW_BREW_DOCKER_TOKEN }} |
  docker login -u brewtestbot --password-stdin
- docker tag brew "homebrew/ubuntu22.04:master"
- docker push "homebrew/ubuntu22.04:master"
+ docker tag brew "homebrew/ubuntu22.04:${{ github.ref_name }}"
+ docker push "homebrew/ubuntu22.04:${{ github.ref_name }}"
+
+ - name: Generate image digest
+ if: github.ref == 'refs/heads/master'
+ id: digest
+ run: |
+ digest="$(docker image inspect --format='{{.Digest}}' brew)"
+ echo "digest=$digest" >> "$GITHUB_OUTPUT"
+
+ - name: Generate build provenance
+ uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0 # v1.3.3
+ if: github.ref == 'refs/heads/master'
+ id: attest
+ with:
+ push-to-registry: true
+ subject-digest: ${{ steps.digest.outputs.digest }}
+ subject-name: ghcr.io/homebrew/ubuntu22.04:${{ github.ref_name }}
 
  update-test:
  name: ${{ matrix.name }}