Add build-provenance after pr-pull

Adds an extra step after pr-pull in publish-commit-bottles.yml to generate build provenance for bottles that get published. This requires a small change in `Homebrew/brew` to retain the temporary directory and to expose the path to the following workflow steps. That change must be merged first before this change will work.
Homebrew · Jan 25, 2024 · c3f2988 · c3f2988
1 parent cf370eb
commit c3f2988
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/.github/workflows/publish-commit-bottles.yml b/.github/workflows/publish-commit-bottles.yml
@@ -242,7 +242,9 @@ jobs:
     container:
       image: ghcr.io/homebrew/ubuntu22.04:master
     permissions:
-      contents: read
+      id-token: write # for `generate build provenance`
+      contents: write # for `generate build provenance`
+      packages: write # for `generate build provenance`
       actions: read # for `brew pr-pull`
       pull-requests: write # for `gh pr edit|review`
       repository-projects: write # for `gh pr edit`
@@ -316,12 +318,18 @@ jobs:
             --workflows=tests.yml \
             --committer="$BREWTESTBOT_NAME_EMAIL" \
             --root-url="https://ghcr.io/v2/homebrew/core" \
+            --retain-bottle-dir \
             ${{inputs.warn_on_upload_failure && '--warn-on-upload-failure' || ''}} \
             ${{inputs.message && '--message="$INPUT_MESSAGE"' || ''}} \
             "$PR"
 
           echo "head_sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
 
+      - name: generate build provenance
+        uses: github-early-access/generate-build-provenance@main
+        with:
+          subject-path: '${{steps.pr-pull.outputs.bottle-path}}/*.tar.gz'
+
       - name: Push commits
         uses: Homebrew/actions/git-try-push@master
         with: