Skip to content

Commit a904346

Browse files
feat(ci): attest nuget release artifacts (#203)
## Why We already use OIDC trusted publishing to nuget.org, but release artifacts did not have GitHub-signed provenance metadata. Adding attestation strengthens supply-chain integrity and gives maintainers and consumers a way to verify where the published package came from. ## What changed - Added `attestations: write` and `artifact-metadata: write` permissions to the `deploy` job in `deploy.yml`. - Added an `actions/attest@v4` step that attests the built `IntelliTect.Multitool.<tag>.nupkg` before NuGet push and release upload. ## Notes - This is a minimal workflow-only change. Existing build, test, package, and publish flow remains unchanged.
1 parent a309493 commit a904346

1 file changed

Lines changed: 6 additions & 0 deletions

File tree

.github/workflows/deploy.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,8 @@ jobs:
5757
url: 'https://www.nuget.org/packages/IntelliTect.Multitool'
5858
permissions:
5959
id-token: write # Required for OIDC token (NuGet trusted publishing)
60+
attestations: write # Required for GitHub artifact attestations
61+
artifact-metadata: write # Required to create artifact storage records
6062
contents: write # Required for softprops/action-gh-release
6163
steps:
6264
- name: Download artifact from build job
@@ -68,6 +70,10 @@ jobs:
6870
run: |
6971
$tagVersion = "${{ github.ref }}".substring(11)
7072
echo "TAG_VERSION=$tagVersion" >> $env:GITHUB_OUTPUT
73+
- name: Attest NuGet package provenance
74+
uses: actions/attest@v4
75+
with:
76+
subject-path: IntelliTect.Multitool.${{ steps.tag-version.outputs.TAG_VERSION }}.nupkg
7177
- name: NuGet login
7278
uses: NuGet/login@v1
7379
id: login

0 commit comments

Comments
 (0)