Skip to content

Commit 332b93d

Browse files
compnerdcompnerd
committed
GHA: add attestation for the installer artifacts
Start attesting the installer artifacts. While we can attest the build further, this allows the user consumable artifacts to be attested. The binaries themselves should be attested as well but code signing the installer should allow us to validate the binaries.
1 parent 1c4919d commit 332b93d

File tree

2 files changed

+53
-0
lines changed

2 files changed

+53
-0
lines changed

.github/workflows/build-toolchain.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -851,6 +851,7 @@ jobs:
851851
ANDROID_NDK_VERSION: ${{ needs.context.outputs.ANDROID_NDK_VERSION }}
852852
CMAKE_Swift_FLAGS: ${{ needs.context.outputs.WINDOWS_CMAKE_Swift_FLAGS }}
853853
debug_info: ${{ fromJSON(needs.context.outputs.debug_info) }}
854+
release: ${{ inputs.create_release }}
854855
signed: ${{ fromJSON(needs.context.outputs.signed) }}
855856
swift_version: ${{ needs.context.outputs.swift_version }}
856857
swift_tag: ${{ needs.context.outputs.swift_tag }}

.github/workflows/swift-toolchain.yml

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -238,6 +238,10 @@ on:
238238
debug_info:
239239
required: true
240240
type: boolean
241+
242+
release:
243+
required: true
244+
type: boolean
241245

242246
signed:
243247
required: true
@@ -294,6 +298,10 @@ defaults:
294298
run:
295299
shell: pwsh
296300

301+
permissions:
302+
id-token: write
303+
attestations: write
304+
297305
jobs:
298306
sqlite:
299307
runs-on: ${{ inputs.default_build_runner }}
@@ -3780,6 +3788,21 @@ jobs:
37803788
-p:VCRedistDir="$([IO.Path]::Combine(${env:VCToolsRedistDir}, "${{ matrix.arch == 'amd64' && 'x64' || 'arm64' }}", "Microsoft.VC143.CRT"))" `
37813789
${{ github.workspace }}/SourceCache/swift-installer-scripts/platforms/Windows/rtl/msi/rtlmsi.wixproj
37823790
3791+
- if: ${{ inputs.release }}
3792+
uses: actions/attest-build-provenance@v2
3793+
with:
3794+
subject-path: |
3795+
${{ github.workspace }}/BinaryCache/installer/Release/${{ matrix.arch }}/bld.msi
3796+
${{ github.workspace }}/BinaryCache/installer/Release/${{ matrix.arch }}/bld.cab
3797+
${{ github.workspace }}/BinaryCache/installer/Release/${{ matrix.arch }}/cli.msi
3798+
${{ github.workspace }}/BinaryCache/installer/Release/${{ matrix.arch }}/cli.cab
3799+
${{ github.workspace }}/BinaryCache/installer/Release/${{ matrix.arch }}/dbg.msi
3800+
${{ github.workspace }}/BinaryCache/installer/Release/${{ matrix.arch }}/dbg.cab
3801+
${{ github.workspace }}/BinaryCache/installer/Release/${{ matrix.arch }}/ide.msi
3802+
${{ github.workspace }}/BinaryCache/installer/Release/${{ matrix.arch }}/ide.cab
3803+
${{ github.workspace }}/BinaryCache/installer/Release/${{ matrix.arch }}/rtl.msi
3804+
${{ github.workspace }}/BinaryCache/installer/Release/${{ matrix.arch }}/rtl.cab
3805+
37833806
- uses: actions/upload-artifact@v4
37843807
with:
37853808
name: Windows-${{ matrix.arch }}-bld-msi
@@ -3954,6 +3977,19 @@ jobs:
39543977
-p:WindowsRuntimeX86="${{ github.workspace }}/BuildRoot/Library/Developer/Runtimes/Windows-i686" `
39553978
${{ github.workspace }}/SourceCache/swift-installer-scripts/platforms/Windows/platforms/windows/windows.wixproj
39563979
3980+
- if: ${{ inputs.release }}
3981+
uses: actions/attest-build-provenance@v2
3982+
with:
3983+
subject-path: |
3984+
${{ github.workspace }}/BinaryCache/installer/Release/${{ inputs.build_arch }}/windows.msi
3985+
${{ github.workspace }}/BinaryCache/installer/Release/${{ inputs.build_arch }}/windows.cab
3986+
${{ github.workspace }}/BinaryCache/installer/Release/${{ inputs.build_arch }}/sdk.windows.arm64.cab
3987+
${{ github.workspace }}/BinaryCache/installer/Release/${{ inputs.build_arch }}/sdk.windows.x64.cab
3988+
${{ github.workspace }}/BinaryCache/installer/Release/${{ inputs.build_arch }}/sdk.windows.x86.cab
3989+
${{ github.workspace }}/BinaryCache/installer/Release/amd64/rtl.amd64.msm
3990+
${{ github.workspace }}/BinaryCache/installer/Release/arm64/rtl.arm64.msm
3991+
${{ github.workspace }}/BinaryCache/installer/Release/x86/rtl.x86.msm
3992+
39573993
- uses: actions/upload-artifact@v4
39583994
with:
39593995
name: Windows-platform-msi
@@ -4126,6 +4162,17 @@ jobs:
41264162
-p:AndroidArchitectures="`"x86_64;aarch64;i686;armv7`"" `
41274163
${{ github.workspace }}/SourceCache/swift-installer-scripts/platforms/Windows/platforms/android/android.wixproj
41284164
4165+
- if: ${{ inputs.build_android && inputs.release }}
4166+
uses: actions/attest-build-provenance@v2
4167+
with:
4168+
subject-path: |
4169+
${{ github.workspace }}/BinaryCache/installer/Release/${{ inputs.build_arch }}/android.msi
4170+
${{ github.workspace }}/BinaryCache/installer/Release/${{ inputs.build_arch }}/android.cab
4171+
${{ github.workspace }}/BinaryCache/installer/Release/${{ inputs.build_arch }}/sdk.android.arm64.cab
4172+
${{ github.workspace }}/BinaryCache/installer/Release/${{ inputs.build_arch }}/sdk.android.arm.cab
4173+
${{ github.workspace }}/BinaryCache/installer/Release/${{ inputs.build_arch }}/sdk.android.x64.cab
4174+
${{ github.workspace }}/BinaryCache/installer/Release/${{ inputs.build_arch }}/sdk.android.x86.cab
4175+
41294176
- if: inputs.build_android
41304177
uses: actions/upload-artifact@v4
41314178
with:
@@ -4253,6 +4300,11 @@ jobs:
42534300
-p:ProductVersion=${{ inputs.swift_version }}-${{ inputs.swift_tag }} `
42544301
${{ github.workspace }}/SourceCache/swift-installer-scripts/platforms/Windows/bundle/installer.wixproj
42554302
4303+
- if: ${{ inputs.release }}
4304+
uses: actions/attest-build-provenance@v2
4305+
with:
4306+
subject-path: ${{ github.workspace }}/BinaryCache/installer/Release/${{ matrix.arch }}/installer.exe
4307+
42564308
- uses: actions/upload-artifact@v4
42574309
with:
42584310
name: Windows-${{ matrix.arch }}-installer

0 commit comments

Comments
 (0)