From 0f9f778483317e264642b52a3af9d378f1763824 Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Mon, 13 May 2024 11:14:48 -0400
Subject: [PATCH] Attest build provenance of artifacts (#122)

* Attest build provenance of artifacts

* Add attest-build-provenance input to changelog

* Try out attestation in CI

* Clarify this is only GitHub attestation

* Revert "Try out attestation in CI"

This reverts commit 6a782e169f4bae1316d317fada835e1a62932aa7.

---------

Co-authored-by: Hynek Schlawack <hs@ox.cx>
---
 CHANGELOG.md |  6 ++++++
 README.md    |  4 ++++
 action.yml   | 10 ++++++++++
 3 files changed, 20 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0a15b36..d56b42f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ## [Unreleased](https://github.com/hynek/build-and-inspect-python-package/compare/v2.4.0...main)
 
+### Added
+
+- New input: `attest-build-provenance-github` generates signed build provenance attestations for workflow artifacts.
+  [#122](https://github.com/hynek/build-and-inspect-python-package/pull/122)
+
+
 ## [2.4.0](https://github.com/hynek/build-and-inspect-python-package/compare/v2.3.0...v2.4.0) - 2024-04-11
 
 ### Changed
diff --git a/README.md b/README.md
index b20f1bb..ca53c08 100644
--- a/README.md
+++ b/README.md
@@ -95,6 +95,10 @@ While *build-and-inspect-python-package* will build a wheel for you by default,
 
   Use this if you want to build multiple packages in one workflow.
   (*optional*, default: `''`).
+- `attest-build-provenance-github`: Whether to generate signed build provenance attestations for workflow artifacts using [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance).
+  Requires `attestations: write` and `id-token: write` permissions.
+  The only meaningful value is `'true'` (note the quotes – GitHub Actions only allow string inputs) and everything else is treated as falsey.
+  (*optional*, default: `'false'`).
 
 
 ### Outputs
diff --git a/action.yml b/action.yml
index 9f297eb..d0b87fe 100644
--- a/action.yml
+++ b/action.yml
@@ -19,6 +19,10 @@ inputs:
     description: Suffix to append to the artifact names.
     required: false
     default: ""
+  attest-build-provenance-github:
+    description: "Attest provenance using GitHub's own action. Requires 'attestations: write' and 'id-token: write' permissions."
+    required: false
+    default: 'false'
 outputs:
   dist:
     description: The location of the built packages.
@@ -102,6 +106,12 @@ runs:
       shell: bash
       working-directory: ${{ inputs.path }}
 
+    - name: Attest GitHub build provenance
+      if: ${{ inputs.attest-build-provenance-github == 'true' }}
+      uses: actions/attest-build-provenance@v1
+      with:
+        subject-path: "/tmp/baipp/dist/*"
+
     - name: Set output
       id: dist-location-setter
       shell: bash