From 57b63f791304aa3f8131b7954f61c8415aba8ca3 Mon Sep 17 00:00:00 2001
From: Pun Butrach <pun.butrach@gmail.com>
Date: Tue, 27 May 2025 20:33:11 +0700
Subject: [PATCH] ci: Attest release artifacts (#3462)

---
 .github/workflows/build_pull_request.yml |  4 ++--
 .github/workflows/release.yml            | 23 +++++++++++++++--------
 .releaserc                               |  8 ++++----
 3 files changed, 21 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/build_pull_request.yml b/.github/workflows/build_pull_request.yml
index 536b6614a..c6bc0e0b8 100644
--- a/.github/workflows/build_pull_request.yml
+++ b/.github/workflows/build_pull_request.yml
@@ -19,8 +19,8 @@ jobs:
       - name: Setup Java
         uses: actions/setup-java@v4
         with:
-          distribution: "temurin"
-          java-version: "17"
+          distribution: 'temurin'
+          java-version: '17'
 
       - name: Cache Gradle
         uses: burrunan/gradle-cache-action@v2
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 83c1a310f..2ebe879db 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,24 +13,23 @@ jobs:
     permissions:
       contents: write
       packages: write
+      id-token: write
+      attestations: write
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
-          # Make sure the release step uses its own credentials:
-          # https://github.com/cycjimmy/semantic-release-action#private-packages
-          persist-credentials: false
           fetch-depth: 0
 
       - name: Setup Java
         uses: actions/setup-java@v4
         with:
-          distribution: "temurin"
-          java-version: "17"
+          distribution: 'temurin'
+          java-version: '17'
 
       - name: Cache Gradle
-        uses: burrunan/gradle-cache-action@v2
+        uses: burrunan/gradle-cache-action@v3
 
       - name: Build
         env:
@@ -40,7 +39,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: "lts/*"
+          node-version: 'lts/*'
           cache: 'npm'
 
       - name: Install dependencies
@@ -54,6 +53,14 @@ jobs:
           fingerprint: ${{ vars.GPG_FINGERPRINT }}
 
       - name: Release
+        uses: cycjimmy/semantic-release-action@v4
+        id: release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: npm exec semantic-release
+
+      - name: Attest
+        if: steps.release.outputs.new_release_published == 'true'
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: 'Patches ${{ steps.release.outputs.new_release_git_tag }}'
+          subject-path: patches/build/libs/patches-*.rvp
diff --git a/.releaserc b/.releaserc
index 19eb00e81..5c242908b 100644
--- a/.releaserc
+++ b/.releaserc
@@ -23,7 +23,7 @@
         "assets": [
           "README.md",
           "CHANGELOG.md",
-          "gradle.properties",
+          "gradle.properties"
         ],
         "message": "chore: Release v${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
       }
@@ -36,14 +36,14 @@
             "path": "patches/build/libs/patches-!(*sources*|*javadoc*).rvp?(.asc)"
           }
         ],
-        successComment: false
+        "successComment": false
       }
     ],
     [
       "@saithodev/semantic-release-backmerge",
       {
-        backmergeBranches: [{"from": "main", "to": "dev"}],
-        clearWorkspace: true
+        "backmergeBranches": [{"from": "main", "to": "dev"}],
+        "clearWorkspace": true
       }
     ]
   ]