actions/attest-build-provenance

[lectrical]

Adding https://github.com/actions/attest-build-provenance to the ci builds so that the release assets and docker image for the next release tag generate signed build provenance attestations for workflow artifacts.

[emanuele6]

It is erroring with:

Error: Failed to get ID token: Error message: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable

[lectrical]

@emanuele6 that seems a permissions issue on the pr actions. It works in the local repo (except docker push which was working

https://github.com/lectrical/jq/actions/runs/12274537270

It's the normal error you expect if you forgot to add these https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds#generating-build-provenance-for-binaries

Perhaps it should be skipped for pr requests anyway?

[lectrical]

So according to this actions/attest-build-provenance#99 the issue is expected.

I think I can maybe make it skip this on a pr originating from a fork?

[lectrical]

So that worked. The step is skipped unless a tag was pushed. I think that will only happen for a new release?

[itchyny]

I think adding attestation to the artifacts can be moved to the release job. This minimizes the permission. Also, this adds attestation to the aliased artifacts like jq-linux64.