Commit a904346
authored
feat(ci): attest nuget release artifacts (#203)
## Why
We already use OIDC trusted publishing to nuget.org, but release
artifacts did not have GitHub-signed provenance metadata. Adding
attestation strengthens supply-chain integrity and gives maintainers and
consumers a way to verify where the published package came from.
## What changed
- Added `attestations: write` and `artifact-metadata: write` permissions
to the `deploy` job in `deploy.yml`.
- Added an `actions/attest@v4` step that attests the built
`IntelliTect.Multitool.<tag>.nupkg` before NuGet push and release
upload.
## Notes
- This is a minimal workflow-only change. Existing build, test, package,
and publish flow remains unchanged.1 parent a309493 commit a904346
1 file changed
Lines changed: 6 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
57 | 57 | | |
58 | 58 | | |
59 | 59 | | |
| 60 | + | |
| 61 | + | |
60 | 62 | | |
61 | 63 | | |
62 | 64 | | |
| |||
68 | 70 | | |
69 | 71 | | |
70 | 72 | | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
| 76 | + | |
71 | 77 | | |
72 | 78 | | |
73 | 79 | | |
| |||
0 commit comments