From 950b47fbc868e831093aaf6549c3a12951790619 Mon Sep 17 00:00:00 2001 From: Trask Stalnaker Date: Mon, 10 Feb 2025 15:40:55 -0800 Subject: [PATCH] Use attestation instead of signature --- .github/workflows/release.yml | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0408fdc3e3eb..bedd681f862d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,6 +21,8 @@ jobs: release: permissions: contents: write # for creating the release + attestations: write # for creating the attestation + id-token: write # for creating the attestation runs-on: ubuntu-latest needs: - required-jobs @@ -169,20 +171,33 @@ jobs: .github/scripts/generate-release-contributors.sh v$PRIOR_VERSION >> /tmp/release-notes.txt fi + - name: Simplify jar path for attesting and attaching + run: | + cp javaagent/build/libs/opentelemetry-javaagent-${VERSION}.jar opentelemetry-javaagent.jar + + - id: attest + uses: actions/attest-build-provenance@v2 + with: + subject-path: | + opentelemetry-javaagent.jar + opentelemetry-java-instrumentation-SBOM.zip + + - name: Rename attestation bundle file for attaching + run: | + cp ${{ steps.attest.outputs.bundle-path }} attestation.intoto.jsonl + - id: create-github-release name: Create GitHub release env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - cp javaagent/build/libs/opentelemetry-javaagent-${VERSION}.jar opentelemetry-javaagent.jar - cp javaagent/build/libs/opentelemetry-javaagent-${VERSION}.jar.asc opentelemetry-javaagent.jar.asc gh release create --target $GITHUB_REF_NAME \ --title "Version $VERSION" \ --notes-file /tmp/release-notes.txt \ v$VERSION \ opentelemetry-javaagent.jar \ - opentelemetry-javaagent.asc.jar \ - opentelemetry-java-instrumentation-SBOM.zip + opentelemetry-java-instrumentation-SBOM.zip \ + attestation.intoto.jsonl echo "version=$VERSION" >> $GITHUB_OUTPUT echo "prior-version=$PRIOR_VERSION" >> $GITHUB_OUTPUT