github-action: provenance (#1447)

elastic · Jun 10, 2024 · f4d928d · f4d928d
1 parent f47030e
commit f4d928d
Showing 1 changed file with 28 additions and 4 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -4,13 +4,19 @@ on:
   push:
     tags:
       - "v[0-9]+*"
+    branches:
+      - main
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      attestations: write
+      contents: write
+      id-token: write
     steps:
       - uses: actions/checkout@v4
       - uses: ruby/setup-ruby@v1
@@ -32,13 +38,29 @@ jobs:
           echo '---' > "${RUBY_CREDENTIALS_FILE}"
           echo ":rubygems_api_key: ${API_KEY}" >> "${RUBY_CREDENTIALS_FILE}"
           chmod 0600 "${RUBY_CREDENTIALS_FILE}"
+
       - name: Install build system
         run: .ci/scripts/install-build-system.sh
-      - run: rake release
+
+      - name: rake release (only for tags)
+        run: rake release
+        if: startsWith(github.ref, 'refs/tags')
+
+      - name: rake build
+        run: rake build
+        if:  ${{ ! startsWith(github.ref, 'refs/tags') }}
+
+      - name: generate build provenance
+        uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d  # v1.1.2
+        with:
+          subject-path: "${{ github.workspace }}/pkg/*.gem" 
+
   update-branch:
     needs:
       - release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@v4
       - uses: ruby/setup-ruby@v1
@@ -48,7 +70,9 @@ jobs:
         uses: elastic/apm-pipeline-library/.github/actions/setup-git@current
       - name: Install build system
         run: .ci/scripts/install-build-system.sh
-      - run: rake release:update_branch
+      - name: rake release:update_branch (only for tags)
+        run: rake release:update_branch
+        if: startsWith(github.ref, 'refs/tags')
 
   status:
     if: always()
@@ -62,7 +86,7 @@ jobs:
         with:
           needs: ${{ toJSON(needs) }}
       - run: ${{ steps.check.outputs.isSuccess }}
-      - if: always()
+      - if: ${{ always() && startsWith(github.ref, 'refs/tags') }}
         uses: elastic/apm-pipeline-library/.github/actions/notify-build-status@current
         with:
           vaultUrl: ${{ secrets.VAULT_ADDR }}