diff --git a/.github/workflows/linux-publish.yml b/.github/workflows/linux-publish.yml index 11ff9ac195..97d16f031e 100644 --- a/.github/workflows/linux-publish.yml +++ b/.github/workflows/linux-publish.yml @@ -46,6 +46,7 @@ jobs: publish-x64: uses: ./.github/workflows/pipeline-segment-electron-publish.yml permissions: + artifact-metadata: write attestations: write contents: read id-token: write @@ -65,6 +66,7 @@ jobs: publish-arm: uses: ./.github/workflows/pipeline-segment-electron-publish.yml permissions: + artifact-metadata: write attestations: write contents: read id-token: write @@ -84,6 +86,7 @@ jobs: publish-arm64: uses: ./.github/workflows/pipeline-segment-electron-publish.yml permissions: + artifact-metadata: write attestations: write contents: read id-token: write diff --git a/.github/workflows/macos-publish.yml b/.github/workflows/macos-publish.yml index f1673ad64c..86a3000ce4 100644 --- a/.github/workflows/macos-publish.yml +++ b/.github/workflows/macos-publish.yml @@ -50,6 +50,7 @@ jobs: publish-x64-darwin: uses: ./.github/workflows/pipeline-segment-electron-publish.yml permissions: + artifact-metadata: write attestations: write contents: read id-token: write @@ -69,6 +70,7 @@ jobs: publish-x64-mas: uses: ./.github/workflows/pipeline-segment-electron-publish.yml permissions: + artifact-metadata: write attestations: write contents: read id-token: write @@ -88,6 +90,7 @@ jobs: publish-arm64-darwin: uses: ./.github/workflows/pipeline-segment-electron-publish.yml permissions: + artifact-metadata: write attestations: write contents: read id-token: write @@ -107,6 +110,7 @@ jobs: publish-arm64-mas: uses: ./.github/workflows/pipeline-segment-electron-publish.yml permissions: + artifact-metadata: write attestations: write contents: read id-token: write diff --git a/.github/workflows/pipeline-segment-electron-publish.yml b/.github/workflows/pipeline-segment-electron-publish.yml index 805d1e7ca0..b2fcdb5c52 100644 --- a/.github/workflows/pipeline-segment-electron-publish.yml +++ b/.github/workflows/pipeline-segment-electron-publish.yml @@ -93,6 +93,7 @@ jobs: shell: bash runs-on: ${{ inputs.build-runs-on }} permissions: + artifact-metadata: write attestations: write contents: read id-token: write diff --git a/.github/workflows/windows-publish.yml b/.github/workflows/windows-publish.yml index 7b53c04213..3292315902 100644 --- a/.github/workflows/windows-publish.yml +++ b/.github/workflows/windows-publish.yml @@ -54,6 +54,7 @@ jobs: publish-x64-win: uses: ./.github/workflows/pipeline-segment-electron-publish.yml permissions: + artifact-metadata: write attestations: write contents: read id-token: write @@ -72,6 +73,7 @@ jobs: publish-arm64-win: uses: ./.github/workflows/pipeline-segment-electron-publish.yml permissions: + artifact-metadata: write attestations: write contents: read id-token: write @@ -90,6 +92,7 @@ jobs: publish-x86-win: uses: ./.github/workflows/pipeline-segment-electron-publish.yml permissions: + artifact-metadata: write attestations: write contents: read id-token: write diff --git a/script/copy-pipeline-segment-publish.js b/script/copy-pipeline-segment-publish.js index f210f245d5..e3690e1a56 100644 --- a/script/copy-pipeline-segment-publish.js +++ b/script/copy-pipeline-segment-publish.js @@ -12,6 +12,7 @@ const baseContents = fs.readFileSync(base, 'utf-8'); const parsedBase = yaml.parse(baseContents); parsedBase.jobs.build.permissions = { + 'artifact-metadata': 'write', attestations: 'write', contents: 'read', 'id-token': 'write' diff --git a/script/release/uploaders/upload.py b/script/release/uploaders/upload.py index 66a6aac22a..f2108a33bb 100755 --- a/script/release/uploaders/upload.py +++ b/script/release/uploaders/upload.py @@ -376,7 +376,7 @@ def upload_io_to_github(release, filename, filepath, version): github_output.write(",") else: github_output.write('UPLOADED_PATHS=') - github_output.write(os.path.join(filepath, filename)) + github_output.write(filepath) def upload_sha256_checksum(version, file_path, key_prefix=None): checksum_path = f'{file_path}.sha256sum'