From 08528939102c3ec953b07207649ceeab64710fea Mon Sep 17 00:00:00 2001
From: John Kleinschmidt <jkleinsc@electronjs.org>
Date: Wed, 11 Feb 2026 07:17:59 -0500
Subject: [PATCH] build: fixup attestation for release assets (#49732)

* build: fixup attestation for release assets

* Generate artifact attestation for generated artifacts

* set id-token for attestation

* Add artifact-metadata permission for attestation

* add permissions for testing attestations

* Revert "add permissions for testing attestations"

This reverts commit 0284bed17511521d21fe8e0dd1bceab50545b1e2.

* Revert "set id-token for attestation"

This reverts commit 69a1b13a188418b13fc65dac28d33234acdaa1d7.

* Revert "Generate artifact attestation for generated artifacts"

This reverts commit ee0536eceb9eeeb94ee8105ffda66cbabd5751de.
---
 .github/workflows/linux-publish.yml                     | 3 +++
 .github/workflows/macos-publish.yml                     | 4 ++++
 .github/workflows/pipeline-segment-electron-publish.yml | 1 +
 .github/workflows/windows-publish.yml                   | 3 +++
 script/copy-pipeline-segment-publish.js                 | 1 +
 script/release/uploaders/upload.py                      | 2 +-
 6 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/linux-publish.yml b/.github/workflows/linux-publish.yml
index bedcc4c519..eeea6e98e4 100644
--- a/.github/workflows/linux-publish.yml
+++ b/.github/workflows/linux-publish.yml
@@ -45,6 +45,7 @@ jobs:
   publish-x64:
     uses: ./.github/workflows/pipeline-segment-electron-publish.yml
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write
@@ -64,6 +65,7 @@ jobs:
   publish-arm:
     uses: ./.github/workflows/pipeline-segment-electron-publish.yml
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write
@@ -83,6 +85,7 @@ jobs:
   publish-arm64:
     uses: ./.github/workflows/pipeline-segment-electron-publish.yml
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write
diff --git a/.github/workflows/macos-publish.yml b/.github/workflows/macos-publish.yml
index 5426977aa6..0bc44aa434 100644
--- a/.github/workflows/macos-publish.yml
+++ b/.github/workflows/macos-publish.yml
@@ -49,6 +49,7 @@ jobs:
   publish-x64-darwin:
     uses: ./.github/workflows/pipeline-segment-electron-publish.yml
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write
@@ -68,6 +69,7 @@ jobs:
   publish-x64-mas:
     uses: ./.github/workflows/pipeline-segment-electron-publish.yml
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write
@@ -87,6 +89,7 @@ jobs:
   publish-arm64-darwin:
     uses: ./.github/workflows/pipeline-segment-electron-publish.yml
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write
@@ -106,6 +109,7 @@ jobs:
   publish-arm64-mas:
     uses: ./.github/workflows/pipeline-segment-electron-publish.yml
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write
diff --git a/.github/workflows/pipeline-segment-electron-publish.yml b/.github/workflows/pipeline-segment-electron-publish.yml
index 805d1e7ca0..b2fcdb5c52 100644
--- a/.github/workflows/pipeline-segment-electron-publish.yml
+++ b/.github/workflows/pipeline-segment-electron-publish.yml
@@ -93,6 +93,7 @@ jobs:
         shell: bash
     runs-on: ${{ inputs.build-runs-on }}
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write
diff --git a/.github/workflows/windows-publish.yml b/.github/workflows/windows-publish.yml
index 1a02f7fec8..182e1cf85d 100644
--- a/.github/workflows/windows-publish.yml
+++ b/.github/workflows/windows-publish.yml
@@ -53,6 +53,7 @@ jobs:
   publish-x64-win:
     uses: ./.github/workflows/pipeline-segment-electron-publish.yml
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write
@@ -71,6 +72,7 @@ jobs:
   publish-arm64-win:
     uses: ./.github/workflows/pipeline-segment-electron-publish.yml
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write
@@ -89,6 +91,7 @@ jobs:
   publish-x86-win:
     uses: ./.github/workflows/pipeline-segment-electron-publish.yml
     permissions:
+      artifact-metadata: write
       attestations: write
       contents: read
       id-token: write
diff --git a/script/copy-pipeline-segment-publish.js b/script/copy-pipeline-segment-publish.js
index f210f245d5..e3690e1a56 100644
--- a/script/copy-pipeline-segment-publish.js
+++ b/script/copy-pipeline-segment-publish.js
@@ -12,6 +12,7 @@ const baseContents = fs.readFileSync(base, 'utf-8');
 
 const parsedBase = yaml.parse(baseContents);
 parsedBase.jobs.build.permissions = {
+  'artifact-metadata': 'write',
   attestations: 'write',
   contents: 'read',
   'id-token': 'write'
diff --git a/script/release/uploaders/upload.py b/script/release/uploaders/upload.py
index 640ddf9e46..f2108a33bb 100755
--- a/script/release/uploaders/upload.py
+++ b/script/release/uploaders/upload.py
@@ -376,7 +376,7 @@ def upload_io_to_github(release, filename, filepath, version):
         github_output.write(",")
       else:
         github_output.write('UPLOADED_PATHS=')
-      github_output.write(filename)
+      github_output.write(filepath)
 
 def upload_sha256_checksum(version, file_path, key_prefix=None):
   checksum_path = f'{file_path}.sha256sum'