yshavit · yshavit · Jul 17, 2024 · Jul 17, 2024 · Jul 17, 2024 · Jul 17, 2024
diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml
@@ -7,6 +7,12 @@ on:
 env:
   CARGO_TERM_COLOR: always
 
+# for attestations
+permissions:
+  id-token: write
+  attestations: write
+  contents: read
+
 jobs:
   build:
     strategy:
@@ -30,8 +36,6 @@ jobs:
     - uses: actions/checkout@v4
     - name: build
       run: cargo build --release
-    - name: set permission
-      run: chmod +x target/release/$BUILD_FILE_NAME
     - name: sha256sum
       shell: bash
       run: |
@@ -43,19 +47,27 @@ jobs:
         printf '::notice title=sha256sum %s (%s)::%s\n' "$BUILD_FILE_NAME" "$MATRIX_OS" "$(sha256sum "target/release/${BUILD_FILE_NAME}" | cut -f1 -d' ')"
       env:
         MATRIX_OS: ${{ matrix.os }}
+    - name: Attest Build Provenance
+      uses: actions/attest-build-provenance@v1
+      with:
+        subject-path: "target/release/${{ env.BUILD_FILE_NAME }}"
     - name: mac installer
       if: ${{ runner.os == 'macOS' }}
       run: |
         tmp_file="$(mktemp)"
         cp scripts/installer.sh "$tmp_file"
         base64 -b 72 -i target/release/mdq | sed 's/^/# /' >> "$tmp_file"
-        chmod +x "$tmp_file"
         mv "$tmp_file" target/release/mdq-installer.sh
         export BUILD_FILE_NAME=mdq-installer.sh
         echo BUILD_FILE_NAME=mdq-installer.sh >> "$GITHUB_ENV"
         printf '::notice title=sha256sum %s (%s)::%s\n' "$BUILD_FILE_NAME" "$MATRIX_OS" "$(shasum -a 256 "target/release/${BUILD_FILE_NAME}" | cut -f1 -d' ')"
       env:
         MATRIX_OS: ${{ matrix.os }}
+    - name: Attest Build Provenance (mac installer)
+      if: ${{ runner.os == 'macOS' }}
+      uses: actions/attest-build-provenance@v1
+      with:
+        subject-path: "target/release/${{ env.BUILD_FILE_NAME }}"
     - name: upload
       uses: actions/upload-artifact@v4
       with:

diff --git a/README.md b/README.md
@@ -32,14 +32,21 @@ mdq is available under the MIT license. I am open to other permissive licenses,
 
 # Installation
 
-```shell
-cargo install --git https://github.com/yshavit/mdq
-```
+Any of these will work:
+1. ```shell
+   cargo install --git https://github.com/yshavit/mdq
+   ```
+2. You can download binaries from [the latest release] (or any other release, of course).
+3. You can also grab the binaries from the latest [build-release] workflow run. You must be logged into GitHub to do that (their limitation, not mine!)
+
+These binaries are all built on GitHub's servers, so if you trust my code (and dependencies), and you trust GitHub, you can trust the binaries.
+See [the wiki page on release binaries] for information on how to verify them.
 
-You can also grab the binaries from the latest [build-release] run. The build summary contains downloadable binaries
-for Windows, Linux, and Mac. (I haven't tested this on Windows, though.)
+The Windows release hasn't been tested.
 
+[the latest release]: https://github.com/yshavit/mdq/releases/latest
 [build-release]: https://github.com/yshavit/mdq/actions/workflows/build-release.yml
+[the wiki page on release binaries]: https://github.com/yshavit/mdq/wiki/Release-binaries
 
 # Basic Usage
 
@@ -93,4 +100,4 @@ See the [tutorial] for a bit more detail, and [user manual] for the full picture
 
 [tutorial]: https://github.com/yshavit/mdq/wiki/Tutorial
 
-[user manual]: https://github.com/yshavit/mdq/wiki/Full-User-Manual
+[user manual]: https://github.com/yshavit/mdq/wiki/Full-User-Manual