Home Explore Help
Register Sign In
Apq
/
obs-studio
mirror of https://github.com/obsproject/obs-studio.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Merge pull request #10706 from derrod/ci-attestation

CI: Generate/Verify Attestation for Windows builds
Ryan Foster 1 year ago
parent
e54af0d559 609ddd075e
commit
8c48f8c7b5
3 changed files with 10 additions and 3 deletions
Split View Show Diff Stats
  1. 3 2
      .github/actions/windows-patches/action.yaml
  2. 2 1
      .github/workflows/push.yaml
  3. 5 0
      .github/workflows/sign-windows.yaml

+ 3 - 2
.github/actions/windows-patches/action.yaml
View File 

@@ -33,8 +33,9 @@ runs:
 
       run: |
 
         # Download OBS release
 
         . ${env:GITHUB_ACTION_PATH}\Invoke-External.ps1
 
-        Invoke-External gh release download "${{ inputs.tagName }}" -p "*-Windows.zip"
 
-        Expand-Archive -Path "*-Windows.zip" -DestinationPath "${{ github.workspace }}/build"
 
+        Invoke-External gh release download "${{ inputs.tagName }}" -p "OBS-Studio-${{ inputs.tagName }}-Windows.zip"
 
+        Invoke-External gh attestation verify "OBS-Studio-${{ inputs.tagName }}-Windows.zip" --owner obsproject
 
+        Expand-Archive -Path "OBS-Studio-${{ inputs.tagName }}-Windows.zip" -DestinationPath "${{ github.workspace }}/build"
 
 
     - name: Setup bouf
 
       shell: pwsh

+ 2 - 1
.github/workflows/push.yaml
View File 

@@ -207,12 +207,13 @@ jobs:
 
 
   sign-windows-build:
 
     name: Windows Signing ✍️
 
-    uses: obsproject/obs-studio/.github/workflows/sign-windows.yaml@d7bf65a80b40bec6446dcb4a2f03629fb74cc3f9
 
+    uses: obsproject/obs-studio/.github/workflows/sign-windows.yaml@b5b457d7b059397b70f6e3dd09b65e172ad734c3
 
     if: github.repository_owner == 'obsproject' && github.ref_type == 'tag'
 
     needs: build-project
 
     permissions:
 
       contents: 'read'
 
       id-token: 'write'
 
+      attestations: 'write'
 
     secrets: inherit
 
 
   create-release:

+ 5 - 0
.github/workflows/sign-windows.yaml
View File 

@@ -52,6 +52,11 @@ jobs:
 
           version: ${{ github.ref_name }}
 
           channel: ${{ steps.setup.outputs.channel }}
 
 
+      - name: Generate artifact attestation
 
+        uses: actions/attest-build-provenance@v1
 
+        with:
 
+          subject-path: ${{ github.workspace }}/output/*-x64.zip
 
+
 
       - name: Upload Signed Build
 
         uses: actions/upload-artifact@v4
 
         with: