diff --git a/.github/workflows/linux-publish.yml b/.github/workflows/linux-publish.yml index bedcc4c519..eeea6e98e4 100644 --- a/.github/workflows/linux-publish.yml +++ b/.github/workflows/linux-publish.yml @@ -45,6 +45,7 @@ jobs: publish-x64: uses: ./.github/workflows/pipeline-segment-electron-publish.yml permissions: + artifact-metadata: write attestations: write contents: read id-token: write @@ -64,6 +65,7 @@ jobs: publish-arm: uses: ./.github/workflows/pipeline-segment-electron-publish.yml permissions: + artifact-metadata: write attestations: write contents: read id-token: write @@ -83,6 +85,7 @@ jobs: publish-arm64: uses: ./.github/workflows/pipeline-segment-electron-publish.yml permissions: + artifact-metadata: write attestations: write contents: read id-token: write diff --git a/.github/workflows/macos-publish.yml b/.github/workflows/macos-publish.yml index 5426977aa6..0bc44aa434 100644 --- a/.github/workflows/macos-publish.yml +++ b/.github/workflows/macos-publish.yml @@ -49,6 +49,7 @@ jobs: publish-x64-darwin: uses: ./.github/workflows/pipeline-segment-electron-publish.yml permissions: + artifact-metadata: write attestations: write contents: read id-token: write @@ -68,6 +69,7 @@ jobs: publish-x64-mas: uses: ./.github/workflows/pipeline-segment-electron-publish.yml permissions: + artifact-metadata: write attestations: write contents: read id-token: write @@ -87,6 +89,7 @@ jobs: publish-arm64-darwin: uses: ./.github/workflows/pipeline-segment-electron-publish.yml permissions: + artifact-metadata: write attestations: write contents: read id-token: write @@ -106,6 +109,7 @@ jobs: publish-arm64-mas: uses: ./.github/workflows/pipeline-segment-electron-publish.yml permissions: + artifact-metadata: write attestations: write contents: read id-token: write diff --git a/.github/workflows/pipeline-segment-electron-publish.yml b/.github/workflows/pipeline-segment-electron-publish.yml index 805d1e7ca0..b2fcdb5c52 100644 --- a/.github/workflows/pipeline-segment-electron-publish.yml +++ b/.github/workflows/pipeline-segment-electron-publish.yml @@ -93,6 +93,7 @@ jobs: shell: bash runs-on: ${{ inputs.build-runs-on }} permissions: + artifact-metadata: write attestations: write contents: read id-token: write diff --git a/.github/workflows/windows-publish.yml b/.github/workflows/windows-publish.yml index 1a02f7fec8..182e1cf85d 100644 --- a/.github/workflows/windows-publish.yml +++ b/.github/workflows/windows-publish.yml @@ -53,6 +53,7 @@ jobs: publish-x64-win: uses: ./.github/workflows/pipeline-segment-electron-publish.yml permissions: + artifact-metadata: write attestations: write contents: read id-token: write @@ -71,6 +72,7 @@ jobs: publish-arm64-win: uses: ./.github/workflows/pipeline-segment-electron-publish.yml permissions: + artifact-metadata: write attestations: write contents: read id-token: write @@ -89,6 +91,7 @@ jobs: publish-x86-win: uses: ./.github/workflows/pipeline-segment-electron-publish.yml permissions: + artifact-metadata: write attestations: write contents: read id-token: write diff --git a/script/copy-pipeline-segment-publish.js b/script/copy-pipeline-segment-publish.js index f210f245d5..e3690e1a56 100644 --- a/script/copy-pipeline-segment-publish.js +++ b/script/copy-pipeline-segment-publish.js @@ -12,6 +12,7 @@ const baseContents = fs.readFileSync(base, 'utf-8'); const parsedBase = yaml.parse(baseContents); parsedBase.jobs.build.permissions = { + 'artifact-metadata': 'write', attestations: 'write', contents: 'read', 'id-token': 'write' diff --git a/script/release/uploaders/upload.py b/script/release/uploaders/upload.py index 640ddf9e46..f2108a33bb 100755 --- a/script/release/uploaders/upload.py +++ b/script/release/uploaders/upload.py @@ -376,7 +376,7 @@ def upload_io_to_github(release, filename, filepath, version): github_output.write(",") else: github_output.write('UPLOADED_PATHS=') - github_output.write(filename) + github_output.write(filepath) def upload_sha256_checksum(version, file_path, key_prefix=None): checksum_path = f'{file_path}.sha256sum'