From 164be01d925119a2b4897e400f197c4219a223b3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D0=9E=D0=BB=D0=B5=D0=BA=D1=81=D0=B0=D0=BD=D0=B4=D1=80=20?=
 =?UTF-8?q?=D0=9A=D0=BE=D0=B7=D0=B0=D0=BA?= <kozackunisoft@gmail.com>
Date: Sat, 16 Nov 2024 13:17:14 +0200
Subject: [PATCH] ci: try to add attest-build-provenance

---
 .github/workflows/ci.yml               | 6 ++++--
 .github/workflows/compile-and-test.yml | 9 +++++++++
 .github/workflows/deploy.yml           | 6 +-----
 3 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index dbf68ef35..54d5d95da 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -47,6 +47,10 @@ jobs:
   compile-and-test:
     needs:
       - prepare
+    permissions:
+      contents: write
+      id-token: write
+      attestations: write
     uses: ./.github/workflows/compile-and-test.yml
     with:
       renderer-template: ${{ inputs.renderer-template }}
@@ -57,8 +61,6 @@ jobs:
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'
     permissions:
       contents: write
-      id-token: write
-      attestations: write
     needs:
       - prepare
       - compile-and-test
diff --git a/.github/workflows/compile-and-test.yml b/.github/workflows/compile-and-test.yml
index 56ab9b6e9..33de4dac7 100644
--- a/.github/workflows/compile-and-test.yml
+++ b/.github/workflows/compile-and-test.yml
@@ -19,6 +19,11 @@ defaults:
   run:
     shell: 'bash'
 
+permissions:
+  contents: write
+  id-token: write
+  attestations: write
+
 env:
   NODE_NO_WARNINGS: 1
   PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
@@ -59,6 +64,10 @@ jobs:
 
       - run: npm run test --if-present
 
+      - uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: "dist/root*, dist/latest*.yml"
+
       - name: Upload compiled app
         uses: actions/upload-artifact@v4
         with:
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 3f784d6e4..2c2e54d15 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -12,8 +12,6 @@ on:
 
 permissions:
   contents: write
-  id-token: write
-  attestations: write
 
 defaults:
   run:
@@ -38,9 +36,7 @@ jobs:
           pattern: "*-${{inputs.distribution-channel}}"
           path: dist
           merge-multiple: true
-      - uses: actions/attest-build-provenance@v1
-        with:
-          subject-path: "dist/root*, dist/latest*.yml"
+
       - run: gh release create v${{inputs.app-version}} dist/root* dist/latest*.yml --repo ${{github.repository}}
         env:
           GH_TOKEN: ${{ github.token }}