build: fixup attestation for release assets (#49732)

* build: fixup attestation for release assets

* Generate artifact attestation for generated artifacts

* set id-token for attestation

* Add artifact-metadata permission for attestation

* add permissions for testing attestations

* Revert "add permissions for testing attestations"

This reverts commit 0284bed175.

* Revert "set id-token for attestation"

This reverts commit 69a1b13a18.

* Revert "Generate artifact attestation for generated artifacts"

This reverts commit ee0536eceb.

.github/workflows/linux-publish.yml

@@ -45,6 +45,7 @@ jobs:
   publish-x64:
     uses: ./.github/workflows/pipeline-segment-electron-publish.yml
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write
@@ -64,6 +65,7 @@ jobs:
   publish-arm:
     uses: ./.github/workflows/pipeline-segment-electron-publish.yml
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write
@@ -83,6 +85,7 @@ jobs:
   publish-arm64:
     uses: ./.github/workflows/pipeline-segment-electron-publish.yml
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write

.github/workflows/macos-publish.yml

@@ -49,6 +49,7 @@ jobs:
   publish-x64-darwin:
     uses: ./.github/workflows/pipeline-segment-electron-publish.yml
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write
@@ -68,6 +69,7 @@ jobs:
   publish-x64-mas:
     uses: ./.github/workflows/pipeline-segment-electron-publish.yml
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write
@@ -87,6 +89,7 @@ jobs:
   publish-arm64-darwin:
     uses: ./.github/workflows/pipeline-segment-electron-publish.yml
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write
@@ -106,6 +109,7 @@ jobs:
   publish-arm64-mas:
     uses: ./.github/workflows/pipeline-segment-electron-publish.yml
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write

.github/workflows/pipeline-segment-electron-publish.yml

@@ -93,6 +93,7 @@ jobs:
         shell: bash
     runs-on: ${{ inputs.build-runs-on }}
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write

.github/workflows/windows-publish.yml

@@ -53,6 +53,7 @@ jobs:
   publish-x64-win:
     uses: ./.github/workflows/pipeline-segment-electron-publish.yml
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write
@@ -71,6 +72,7 @@ jobs:
   publish-arm64-win:
     uses: ./.github/workflows/pipeline-segment-electron-publish.yml
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write
@@ -89,6 +91,7 @@ jobs:
   publish-x86-win:
     uses: ./.github/workflows/pipeline-segment-electron-publish.yml
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write

script/copy-pipeline-segment-publish.js

@@ -12,6 +12,7 @@ const baseContents = fs.readFileSync(base, 'utf-8');
 
 const parsedBase = yaml.parse(baseContents);
 parsedBase.jobs.build.permissions = {
+  'artifact-metadata': 'write',
   attestations: 'write',
   contents: 'read',
   'id-token': 'write'

script/release/uploaders/upload.py

@@ -376,7 +376,7 @@ def upload_io_to_github(release, filename, filepath, version):
         github_output.write(",")
       else:
         github_output.write('UPLOADED_PATHS=')
-      github_output.write(filename)
+      github_output.write(filepath)
 
 def upload_sha256_checksum(version, file_path, key_prefix=None):
   checksum_path = f'{file_path}.sha256sum'