From 6534016f2fa1798506fe3bbffe1b689da30ab64c Mon Sep 17 00:00:00 2001
From: Ben <ben.spoor@gmail.com>
Date: Thu, 30 Apr 2026 20:13:42 +0000
Subject: [PATCH] Add sbom attestations

---
 .github/workflows/build.yml          | 21 +++++++++++++++++++++
 .github/workflows/ci.yml             |  2 ++
 .github/workflows/python-publish.yml | 18 ++++++++++++++++++
 doc/tutorials/installation.rst       | 16 ++++++++++++++++
 4 files changed, 57 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 195175fa..af6c6ceb 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -20,6 +20,8 @@ jobs:
     permissions:
       contents: write
       security-events: write
+      attestations: write
+      id-token: write
 
     steps:
       - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
@@ -42,6 +44,9 @@ jobs:
             community.chocolatey.org:80
             packages.chocolatey.org:443
             api.nuget.org:443
+            fulcio.sigstore.dev:443
+            rekor.sigstore.dev:443
+            tuf-repo-cdn.sigstore.dev:443
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -117,6 +122,22 @@ jobs:
           path: ${{ github.workspace }}\.clcache
           key: ${{ steps.clcache-restore.outputs.cache-primary-key }}
 
+      - name: Find SBOM path
+        id: find-sbom
+        shell: bash
+        run: |
+          SBOM=$(find build/dfetch-package -name '*.cdx.json' -maxdepth 1 | head -1)
+          echo "path=$SBOM" >> "$GITHUB_OUTPUT"
+      - name: Attest binary packages with SBOM
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
+        with:
+          subject-path: |
+            build/dfetch-package/*.deb
+            build/dfetch-package/*.rpm
+            build/dfetch-package/*.pkg
+            build/dfetch-package/*.msi
+          predicate-type: 'https://cyclonedx.org/bom'
+          predicate-path: ${{ steps.find-sbom.outputs.path }}
       - name: Store the distribution packages
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9e5a2a03..b9cd2539 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -28,6 +28,8 @@ jobs:
     permissions:
       contents: write
       security-events: write
+      attestations: write
+      id-token: write
     with:
       release_id: ${{ needs.prep-release.outputs.release_id }}
 
diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
index 8e6d086b..d1dde6b1 100644
--- a/.github/workflows/python-publish.yml
+++ b/.github/workflows/python-publish.yml
@@ -18,6 +18,10 @@ jobs:
   build:
     name: Build distribution 📦
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      attestations: write
+      id-token: write
 
     steps:
     - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
@@ -30,6 +34,9 @@ jobs:
           release-assets.githubusercontent.com:443
           pypi.org:443
           files.pythonhosted.org:443
+          fulcio.sigstore.dev:443
+          rekor.sigstore.dev:443
+          tuf-repo-cdn.sigstore.dev:443
 
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
@@ -50,6 +57,17 @@ jobs:
       with:
         name: python-package-distributions
         path: dist/
+    - name: Find SBOM path
+      id: find-sbom
+      run: |
+        SBOM=$(find dist-sbom -name '*.cdx.json' -maxdepth 1 | head -1)
+        echo "path=$SBOM" >> "$GITHUB_OUTPUT"
+    - name: Attest Python distribution with SBOM
+      uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
+      with:
+        subject-path: 'dist/*.whl,dist/*.tar.gz'
+        predicate-type: 'https://cyclonedx.org/bom'
+        predicate-path: ${{ steps.find-sbom.outputs.path }}
     - name: Store the SBOM
       uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
       with:
diff --git a/doc/tutorials/installation.rst b/doc/tutorials/installation.rst
index ac15b96b..4e46a387 100644
--- a/doc/tutorials/installation.rst
+++ b/doc/tutorials/installation.rst
@@ -87,3 +87,19 @@ Run the following command to verify the installation
    $ dfetch environment
 
 .. asciinema:: ../asciicasts/environment.cast
+
+Verifying release integrity
+---------------------------
+
+Every dfetch release artifact is published with a `cryptographic attestation`_ that ties
+it to the SBOM describing its dependencies. You can verify any downloaded artifact using
+the GitHub CLI:
+
+.. code-block:: console
+
+    $ gh attestation verify dfetch-<version>-nix.deb --repo dfetch-org/dfetch
+
+See `GitHub artifact attestations`_ for more information on how attestations work.
+
+.. _`cryptographic attestation`: https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds
+.. _`GitHub artifact attestations`: https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations