Release and attestation tweaks (#616)

* Abs path * Write. * Pass attestation. * Attest nightly
2025-08-26 23:20:57 +00:00 · 2025-08-19 23:27:58 -07:00 · 2025-08-19 23:27:58 -07:00 · d36537b919
commit d36537b919
parent 8adb4423ac
3 changed files with 14 additions and 12 deletions
--- a/.github/templates/release.md
+++ b/.github/templates/release.md
@ -13,4 +13,4 @@ Update description
 https://github.com/maxgoedjen/secretive/actions/runs/RUN_ID

 ## Attestation
-https://github.com/maxgoedjen/secretive/actions/runs/RUN_ID
+https://github.com/maxgoedjen/secretive/attestations/ATTESTATION_ID
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@ -39,14 +39,11 @@ jobs:
        APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
        APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
      run: xcrun notarytool submit --key ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8 --key-id $APPLE_API_KEY_ID --issuer $APPLE_API_ISSUER Secretive.zip
-    - name: Document SHAs
-      run: |
-            echo "sha-512:"
-            shasum -a 512 Secretive.zip
-            shasum -a 512 Archive.zip
-            echo "sha-256:"
-            shasum -a 256 Secretive.zip
-            shasum -a 256 Archive.zip
+    - name: Attest
+      id: attest
+      uses: actions/attest-build-provenance@v2
+      with:
+        subject-path: 'Secretive.zip'
    - name: Upload App to Artifacts
      uses: actions/upload-artifact@v4
      with:
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -29,7 +29,7 @@ jobs:
    runs-on: macos-15
    permissions:
      id-token: write
-      contents: read
+      contents: write
      attestations: write
    timeout-minutes: 10
    steps:
@ -66,17 +66,22 @@ jobs:
        APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
      run: xcrun notarytool submit --key ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8 --key-id $APPLE_API_KEY_ID --issuer $APPLE_API_ISSUER Secretive.zip
    - name: Attest
+      id: attest
      uses: actions/attest-build-provenance@v2
      with:
        subject-path: 'Secretive.zip, Xcode_Archive.zip'
    - name: Create Release
      run: |
-            gh release create $TAG_NAME -d -F templates/release.md
+            sed -i.tmp "s/RUN_ID/$RUN_ID/g" .github/templates/release.md
+            sed -i.tmp "s/ATTESTATION_ID/$ATTESTATION_ID/g" .github/templates/release.md
+            gh release create $TAG_NAME -d -F .github/templates/release.md
            gh release upload Secretive.zip
            gh release upload Xcode_Archive.zip
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        TAG_NAME: ${{ github.ref }}
+        RUN_ID: ${{ github.run_id }}
+        ATTESTATION_ID: ${{ steps.attest.outputs.attestation-id }}
    - name: Upload App to Artifacts
      uses: actions/upload-artifact@v4
      with: