build: artifact attestation (#2205)

Author: aeharding

.github/workflows/build_release.yml

@@ -21,6 +21,8 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
+      attestations: write
 
   build_web:
     concurrency:
@@ -29,7 +31,8 @@ jobs:
     environment: production
     permissions:
       contents: read
-      id-token: write # aws
+      id-token: write # aws + attestation
+      attestations: write
     steps:
       - uses: actions/checkout@v5
 
@@ -68,6 +71,11 @@ jobs:
         run: |
           zip -r Voyager-Web-$BUILD_LABEL.zip dist
 
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-path: Voyager-Web-${{ env.BUILD_LABEL }}.zip
+
       - name: Upload artifacts
         uses: actions/upload-artifact@v4
         with:
@@ -79,6 +87,10 @@ jobs:
       group: ios-release
     environment: deploy
     runs-on: macos-latest
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@v5
 
@@ -123,6 +135,11 @@ jobs:
           APP_STORE_CONNECT_KEY: ${{ secrets.APP_STORE_CONNECT_KEY }}
           COMMIT_MSG: ${{ github.event.commits[0].message }}
 
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-path: Voyager-iOS-${{ env.BUILD_LABEL }}.ipa
+
       - name: Upload iOS IPA as artifact
         uses: actions/upload-artifact@v4
         with:
@@ -131,6 +148,10 @@ jobs:
 
   build_android:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@v5
 
@@ -175,6 +196,11 @@ jobs:
 
       - run: mv android/app/build/outputs/apk/release/app-release.apk Voyager-Android-${{ env.BUILD_LABEL }}.apk
 
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-path: Voyager-Android-${{ env.BUILD_LABEL }}.apk
+
       - name: Send to Artifacts
         uses: actions/upload-artifact@v4
         with:

.github/workflows/docker.yml

@@ -18,6 +18,8 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
+      attestations: write
 
     steps:
       - name: Checkout
@@ -57,6 +59,7 @@ jobs:
           password: ${{ github.token }}
 
       - name: Build and push
+        id: push
         uses: docker/build-push-action@v6
         with:
           context: .
@@ -66,3 +69,11 @@ jobs:
           labels: ${{ steps.metal.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+
+      - name: Generate artifact attestation
+        if: github.event_name != 'pull_request'
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-name: ghcr.io/${{ github.repository }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true

.github/workflows/release.yml

@@ -123,7 +123,8 @@ jobs:
     permissions:
       contents: write # needed for create_release, even though it won't be called
       packages: write # docker release
-      id-token: write # aws
+      id-token: write # aws + attestation
+      attestations: write
 
   push_release:
     needs: [bump_src, app_build, app_version]