From 40635765483bbad4744d78aa4844ff71d9d5d5eb Mon Sep 17 00:00:00 2001
From: samypr100 <3933065+samypr100@users.noreply.github.com>
Date: Sat, 18 Jan 2025 20:28:14 -0500
Subject: [PATCH 1/2] fix: support attestations

---
 .github/workflows/linux.yml   | 6 ++++++
 .github/workflows/release.yml | 9 +++++++++
 2 files changed, 15 insertions(+)

diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
index 5941c85f..1c8377d2 100644
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -245,6 +245,12 @@ jobs:
 
           build/pythonbuild validate-distribution ${EXTRA_ARGS} dist/*.tar.zst
 
+      - name: Generate attestations
+        uses: actions/attest-build-provenance@v2
+        if: ${{ github.ref == 'refs/heads/main' }}
+        with:
+          subject-path: dist/*
+
       - name: Upload Distribution
         if: ${{ ! matrix.dry-run }}
         uses: actions/upload-artifact@v4
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3faca6ac..36c4f17c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -21,6 +21,9 @@ env:
 permissions:
   contents: write
   packages: write
+  # Permissions used for actions/attest-build-provenance
+  id-token: write
+  attestations: write
 
 jobs:
   release:
@@ -75,3 +78,9 @@ jobs:
       # Uploading the relevant artifact to the GitHub release.
       - run: just release-run ${{ secrets.GITHUB_TOKEN }} ${{ github.event.inputs.sha }} ${{ github.event.inputs.tag }}
         if: ${{ github.event.inputs.dry-run == 'false' }}
+
+      - name: Generate attestations
+        uses: actions/attest-build-provenance@v2
+        if: ${{ github.event.inputs.dry-run == 'false' }}
+        with:
+          subject-path: dist/*

From bbb2ddeedcfbdd8551a7366ab613b5910d7d613e Mon Sep 17 00:00:00 2001
From: samypr100 <3933065+samypr100@users.noreply.github.com>
Date: Sun, 19 Jan 2025 18:53:47 -0500
Subject: [PATCH 2/2] adjust release glob to only attest .tar.zst and .tar.gz

---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 36c4f17c..cf58dc13 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -83,4 +83,4 @@ jobs:
         uses: actions/attest-build-provenance@v2
         if: ${{ github.event.inputs.dry-run == 'false' }}
         with:
-          subject-path: dist/*
+          subject-path: dist/*.tar.@(zst|gz)