github-action: add provenance (#373)

elastic · Apr 11, 2024 · a4e7ca2 · a4e7ca2
1 parent 6ba2a8d
commit a4e7ca2
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 6 deletions.
diff --git a/.github/workflows/release-main.yml b/.github/workflows/release-main.yml
@@ -14,9 +14,11 @@ env:
 jobs:
   release:
     runs-on: ubuntu-latest
-
+    permissions:
+      id-token: write
+      contents: write
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Bootstrap Action Workspace
       uses: ./.github/workflows/bootstrap
 
@@ -29,8 +31,13 @@ jobs:
     - name: Inspect public API change
       run: ./build.sh generateapichanges -s true
 
+    - name: generate build provenance
+      uses: github-early-access/generate-build-provenance@main
+      with:
+        subject-path: "${{ github.workspace }}/build/output/*.nupkg"
+
     - name: Prepare feedz.io
-      uses: hashicorp/vault-action@v2.4.2
+      uses: hashicorp/vault-action@v3.0.0
       with:
         url: ${{ secrets.VAULT_ADDR }}
         method: approle
@@ -50,6 +57,13 @@ jobs:
       run: |
           until dotnet nuget push 'build/output/*.nupkg' -k ${{secrets.GITHUB_TOKEN}} --skip-duplicate --no-symbols -s https://nuget.pkg.github.com/elastic/index.json; do echo "Retrying"; sleep 1; done;
 
+    - name: Store artifacts
+      if: success()
+      uses: actions/upload-artifact@v4
+      with:
+        name: nupkg
+        path: build/output/*.nupkg
+
     - if: ${{ failure() }}
       uses: elastic/apm-pipeline-library/.github/actions/slack-message@current
       with:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -13,9 +13,10 @@ permissions:
 jobs:
   release:
     runs-on: ubuntu-latest
-
+    permissions:
+      id-token: write
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Bootstrap Action Workspace
       uses: ./.github/workflows/bootstrap
 
@@ -34,8 +35,13 @@ jobs:
     - name: Create or update release for tag on github
       run: ./build.sh createreleaseongithub -s true --token ${{ secrets.GITHUB_TOKEN }}
 
+    - name: generate build provenance
+      uses: github-early-access/generate-build-provenance@main
+      with:
+        subject-path: "${{ github.workspace }}/build/output/*.nupkg"
+
     - name: Prepare Nuget
-      uses: hashicorp/vault-action@v2.4.2
+      uses: hashicorp/vault-action@v3.0.0
       with:
         url: ${{ secrets.VAULT_ADDR }}
         method: approle
@@ -48,6 +54,13 @@ jobs:
     - name: Release to Nuget
       run: dotnet nuget push 'build/output/*.nupkg' -k ${REPO_API_KEY} -s ${REPO_API_URL} --skip-duplicate --no-symbols
 
+    - name: Store artifacts
+      if: success()
+      uses: actions/upload-artifact@v4
+      with:
+        name: nupkg
+        path: build/output/*.nupkg
+
     - if: ${{ success() }}
       uses: elastic/apm-pipeline-library/.github/actions/slack-message@current
       with: