From c3f2988447de9f3e79ebf7952fb2c27f46350103 Mon Sep 17 00:00:00 2001 From: Joseph Sweeney Date: Thu, 25 Jan 2024 08:51:07 -0500 Subject: [PATCH] Add build-provenance after pr-pull Adds an extra step after pr-pull in publish-commit-bottles.yml to generate build provenance for bottles that get published. This requires a small change in `Homebrew/brew` to retain the temporary directory and to expose the path to the following workflow steps. That change must be merged first before this change will work. --- .github/workflows/publish-commit-bottles.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish-commit-bottles.yml b/.github/workflows/publish-commit-bottles.yml index 436bb135e8ee2..7efb07d2b0519 100644 --- a/.github/workflows/publish-commit-bottles.yml +++ b/.github/workflows/publish-commit-bottles.yml @@ -242,7 +242,9 @@ jobs: container: image: ghcr.io/homebrew/ubuntu22.04:master permissions: - contents: read + id-token: write # for `generate build provenance` + contents: write # for `generate build provenance` + packages: write # for `generate build provenance` actions: read # for `brew pr-pull` pull-requests: write # for `gh pr edit|review` repository-projects: write # for `gh pr edit` @@ -316,12 +318,18 @@ jobs: --workflows=tests.yml \ --committer="$BREWTESTBOT_NAME_EMAIL" \ --root-url="https://ghcr.io/v2/homebrew/core" \ + --retain-bottle-dir \ ${{inputs.warn_on_upload_failure && '--warn-on-upload-failure' || ''}} \ ${{inputs.message && '--message="$INPUT_MESSAGE"' || ''}} \ "$PR" echo "head_sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT" + - name: generate build provenance + uses: github-early-access/generate-build-provenance@main + with: + subject-path: '${{steps.pr-pull.outputs.bottle-path}}/*.tar.gz' + - name: Push commits uses: Homebrew/actions/git-try-push@master with: