build: generate artifact attestions for released assets (#49769)

* build: generate artifact attestions for released assets (#48239) * build: generate artifact attestions for released assets * chore: address review feedback --------- Co-authored-by: John Kleinschmidt <kleinschmidtorama@gmail.com> (cherry picked from commit dec7f937ae) * build: fixup attestation for release assets (#49732) * build: fixup attestation for release assets * Generate artifact attestation for generated artifacts * set id-token for attestation * Add artifact-metadata permission for attestation * add permissions for testing attestations * Revert "add permissions for testing attestations" This reverts commit 0284bed175. * Revert "set id-token for attestation" This reverts commit 69a1b13a18. * Revert "Generate artifact attestation for generated artifacts" This reverts commit ee0536eceb. (cherry picked from commit 0852893910) * chore: update publish workflow --------- Co-authored-by: Samuel Attard <sam@electronjs.org>
2026-02-19 03:14:51 -05:00 · 2026-02-12 10:51:35 -05:00
parent 16fc71f561
commit cad033849b
10 changed files with 344 additions and 12 deletions
--- a/script/copy-pipeline-segment-publish.js
+++ b/script/copy-pipeline-segment-publish.js
@@ -0,0 +1,32 @@
+const yaml = require('yaml');
+
+const fs = require('node:fs');
+const path = require('node:path');
+
+const PREFIX = '# AUTOGENERATED FILE - DO NOT EDIT MANUALLY\n# ONLY EDIT .github/workflows/pipeline-segment-electron-build.yml\n\n';
+
+const base = path.resolve(__dirname, '../.github/workflows/pipeline-segment-electron-build.yml');
+const target = path.resolve(__dirname, '../.github/workflows/pipeline-segment-electron-publish.yml');
+
+const baseContents = fs.readFileSync(base, 'utf-8');
+
+const parsedBase = yaml.parse(baseContents);
+parsedBase.jobs.build.permissions = {
+  'artifact-metadata': 'write',
+  attestations: 'write',
+  contents: 'read',
+  'id-token': 'write'
+};
+
+if (process.argv.includes('--check')) {
+  if (fs.readFileSync(target, 'utf-8') !== PREFIX + yaml.stringify(parsedBase)) {
+    console.error(`${target} is out of date`);
+    console.error('Please run "copy-pipeline-segment-publish.js" to update it');
+    process.exit(1);
+  }
+} else {
+  fs.writeFileSync(
+    target,
+    PREFIX + yaml.stringify(parsedBase)
+  );
+}
--- a/script/release/uploaders/upload.py
+++ b/script/release/uploaders/upload.py
@@ -368,6 +368,14 @@ def upload_io_to_github(release, filename, filepath, version):
        sys.stdout.buffer.write(c)
        sys.stdout.flush()

+  if "GITHUB_OUTPUT" in os.environ:
+    output_path = os.environ["GITHUB_OUTPUT"]
+    with open(output_path, "r+", encoding='utf-8') as github_output:
+      if len(github_output.readlines()) > 0:
+        github_output.write(",")
+      else:
+        github_output.write('UPLOADED_PATHS=')
+      github_output.write(filepath)

 def upload_sha256_checksum(version, file_path, key_prefix=None):
  checksum_path = f'{file_path}.sha256sum'