From 23427ab9db05a5121feebefb6a2ebaa775edf3ff Mon Sep 17 00:00:00 2001
From: Lauren Tan <poteto@users.noreply.github.com>
Date: Mon, 24 Mar 2025 16:40:55 -0400
Subject: [PATCH] [ci] Add artifact attestation to build

Adds a signed build provenance attestations via https://github.com/actions/attest-build-provenance
---
 .github/workflows/runtime_build_and_test.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/runtime_build_and_test.yml b/.github/workflows/runtime_build_and_test.yml
index 343c32724e..bed68756d0 100644
--- a/.github/workflows/runtime_build_and_test.yml
+++ b/.github/workflows/runtime_build_and_test.yml
@@ -332,6 +332,7 @@ jobs:
       - name: Display structure of build
         run: ls -R build
       - name: Archive build
+        id: upload_build
         uses: actions/upload-artifact@v4
         with:
           name: _build_${{ matrix.worker_id }}_${{ matrix.release_channel }}
@@ -468,6 +469,7 @@ jobs:
         # TODO: Migrate scripts to use `build` directory instead of `build2`
       - run: cp ./build.tgz ./build2.tgz
       - name: Archive build artifacts
+        id: upload
         uses: actions/upload-artifact@v4
         with:
           name: artifacts_combined
@@ -475,6 +477,10 @@ jobs:
             ./build.tgz
             ./build2.tgz
           if-no-files-found: error
+      - uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: artifacts_combined.zip
+          subject-digest: sha256:${{ steps.upload.outputs.artifact-digest }}
 
   check_error_codes:
     name: Search build artifacts for unminified errors