-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
actions/attest-build-provenance #3220
base: master
Are you sure you want to change the base?
Conversation
It is erroring with:
|
@emanuele6 that seems a permissions issue on the pr actions. It works in the local repo (except docker push which was working https://github.com/lectrical/jq/actions/runs/12274537270 It's the normal error you expect if you forgot to add these https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds#generating-build-provenance-for-binaries Perhaps it should be skipped for pr requests anyway? |
So according to this actions/attest-build-provenance#99 the issue is expected. I think I can maybe make it skip this on a pr originating from a fork? |
So that worked. The step is skipped unless a tag was pushed. I think that will only happen for a new release? |
Adding https://github.com/actions/attest-build-provenance to the ci builds so that the release assets and docker image for the next release tag generate signed build provenance attestations for workflow artifacts.