chore: Attest release artifacts with sigstore/cosign (#6016)

This ensures all builds are verifiable by https://www.sigstore.dev/. Co-authored-by: ludvigch <[email protected]>
INRIA · Oct 26, 2024 · 51b5032 · 51b5032
1 parent ceb0a3c
commit 51b5032
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/.github/workflows/jreleaser.yml b/.github/workflows/jreleaser.yml
@@ -7,6 +7,10 @@ on:
         required: true
         type: string
 
+permissions:
+  id-token: write # for verifying identity in attestation process
+  attestations: write # to push attestation
+
 jobs:
   jreleaser:
     runs-on: ubuntu-latest
@@ -29,6 +33,11 @@ jobs:
           JRELEASER_NEXUS2_MAVEN_CENTRAL_USERNAME: ${{ secrets.JRELEASER_NEXUS2_MAVEN_CENTRAL_USERNAME }}
           JRELEASER_NEXUS2_MAVEN_CENTRAL_PASSWORD: ${{ secrets.JRELEASER_NEXUS2_MAVEN_CENTRAL_PASSWORD }}
 
+      - name: Sign artifacts with sigstore/cosign
+        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
+        with:
+          subject-path: './target/staging-deploy/**/*.jar'
+
         # Log failures
       - name: JReleaser release output
         if: always()