From 9a3ddd7106cca8275e1db8b0d6b57808774c9d6b Mon Sep 17 00:00:00 2001
From: Matthew Feickert <matthew.feickert@cern.ch>
Date: Tue, 21 May 2024 16:38:11 -0500
Subject: [PATCH] ci: Add GitHub artifact attestations to package distribution

* Add generation of GitHub artifact attestations to built sdist and wheel
  before upload.
  c.f.:
   - https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/
   - https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
---
 .github/workflows/cd.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 2e3b4cb0..098a4f5f 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -29,6 +29,8 @@ jobs:
       url: https://pypi.org/p/hist
     permissions:
       id-token: write
+      attestations: write
+      contents: read
 
     steps:
     - uses: actions/download-artifact@v4
@@ -36,4 +38,9 @@ jobs:
         name: Packages
         path: dist
 
+    - name: Generate artifact attestation for sdist and wheel
+      uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
+      with:
+        subject-path: "dist/hist-*"
+
     - uses: pypa/gh-action-pypi-publish@release/v1