build: generate artifact attestions for released assets (#48239)

* build: generate artifact attestions for released assets

* chore: address review feedback

---------

Co-authored-by: John Kleinschmidt <kleinschmidtorama@gmail.com>

script/copy-pipeline-segment-publish.js

@@ -0,0 +1,31 @@
+const yaml = require('yaml');
+
+const fs = require('node:fs');
+const path = require('node:path');
+
+const PREFIX = '# AUTOGENERATED FILE - DO NOT EDIT MANUALLY\n# ONLY EDIT .github/workflows/pipeline-segment-electron-build.yml\n\n';
+
+const base = path.resolve(__dirname, '../.github/workflows/pipeline-segment-electron-build.yml');
+const target = path.resolve(__dirname, '../.github/workflows/pipeline-segment-electron-publish.yml');
+
+const baseContents = fs.readFileSync(base, 'utf-8');
+
+const parsedBase = yaml.parse(baseContents);
+parsedBase.jobs.build.permissions = {
+  attestations: 'write',
+  contents: 'read',
+  'id-token': 'write'
+};
+
+if (process.argv.includes('--check')) {
+  if (fs.readFileSync(target, 'utf-8') !== PREFIX + yaml.stringify(parsedBase)) {
+    console.error(`${target} is out of date`);
+    console.error('Please run "copy-pipeline-segment-publish.js" to update it');
+    process.exit(1);
+  }
+} else {
+  fs.writeFileSync(
+    target,
+    PREFIX + yaml.stringify(parsedBase)
+  );
+}

script/release/uploaders/upload.py

@@ -369,6 +369,14 @@ def upload_io_to_github(release, filename, filepath, version):
         sys.stdout.buffer.write(c)
         sys.stdout.flush()
 
+  if "GITHUB_OUTPUT" in os.environ:
+    output_path = os.environ["GITHUB_OUTPUT"]
+    with open(output_path, "r+", encoding='utf-8') as github_output:
+      if len(github_output.readlines()) > 0:
+        github_output.write(",")
+      else:
+        github_output.write('UPLOADED_PATHS=')
+      github_output.write(filename)
 
 def upload_sha256_checksum(version, file_path, key_prefix=None):
   checksum_path = f'{file_path}.sha256sum'