build: fixup attestation for release assets (#49732)

* build: fixup attestation for release assets

* Generate artifact attestation for generated artifacts

* set id-token for attestation

* Add artifact-metadata permission for attestation

* add permissions for testing attestations

* Revert "add permissions for testing attestations"

This reverts commit 0284bed175.

* Revert "set id-token for attestation"

This reverts commit 69a1b13a18.

* Revert "Generate artifact attestation for generated artifacts"

This reverts commit ee0536eceb.

.github/workflows/linux-publish.yml

@@ -46,6 +46,7 @@ jobs:
   publish-x64:
     uses: ./.github/workflows/pipeline-segment-electron-publish.yml
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write
@@ -65,6 +66,7 @@ jobs:
   publish-arm:
     uses: ./.github/workflows/pipeline-segment-electron-publish.yml
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write
@@ -84,6 +86,7 @@ jobs:
   publish-arm64:
     uses: ./.github/workflows/pipeline-segment-electron-publish.yml
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write

.github/workflows/macos-publish.yml

@@ -50,6 +50,7 @@ jobs:
   publish-x64-darwin:
     uses: ./.github/workflows/pipeline-segment-electron-publish.yml
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write
@@ -69,6 +70,7 @@ jobs:
   publish-x64-mas:
     uses: ./.github/workflows/pipeline-segment-electron-publish.yml
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write
@@ -88,6 +90,7 @@ jobs:
   publish-arm64-darwin:
     uses: ./.github/workflows/pipeline-segment-electron-publish.yml
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write
@@ -107,6 +110,7 @@ jobs:
   publish-arm64-mas:
     uses: ./.github/workflows/pipeline-segment-electron-publish.yml
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write

.github/workflows/pipeline-segment-electron-publish.yml

@@ -93,6 +93,7 @@ jobs:
         shell: bash
     runs-on: ${{ inputs.build-runs-on }}
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write

.github/workflows/windows-publish.yml

@@ -54,6 +54,7 @@ jobs:
   publish-x64-win:
     uses: ./.github/workflows/pipeline-segment-electron-publish.yml
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write
@@ -72,6 +73,7 @@ jobs:
   publish-arm64-win:
     uses: ./.github/workflows/pipeline-segment-electron-publish.yml
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write
@@ -90,6 +92,7 @@ jobs:
   publish-x86-win:
     uses: ./.github/workflows/pipeline-segment-electron-publish.yml
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write

script/copy-pipeline-segment-publish.js

@@ -12,6 +12,7 @@ const baseContents = fs.readFileSync(base, 'utf-8');
 
 const parsedBase = yaml.parse(baseContents);
 parsedBase.jobs.build.permissions = {
+  'artifact-metadata': 'write',
   attestations: 'write',
   contents: 'read',
   'id-token': 'write'

script/release/uploaders/upload.py

@@ -376,7 +376,7 @@ def upload_io_to_github(release, filename, filepath, version):
         github_output.write(",")
       else:
         github_output.write('UPLOADED_PATHS=')
-      github_output.write(os.path.join(filepath, filename))
+      github_output.write(filepath)
 
 def upload_sha256_checksum(version, file_path, key_prefix=None):
   checksum_path = f'{file_path}.sha256sum'