Add attestation with sbom

Signed-off-by: C0D3 M4513R <[email protected]>
C0D3-M4513R · Jun 10, 2024 · f7d77f6 · f7d77f6
1 parent e54df3d
commit f7d77f6
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
@@ -9,6 +9,9 @@ on:
     branches: [main]
 permissions:
   contents: write
+  id-token: write
+  attestations: write
+  actions: read
 
 jobs:
   create-release:
@@ -101,6 +104,24 @@ jobs:
         uses: mozilla-actions/[email protected]
       - name: Run build
         run: cargo build --target ${{ matrix.target }} --release --package ${{ matrix.package }} --bin ${{ matrix.package }}
+      - uses: anchore/sbom-action@v0
+        with:
+          artifact-name: "${{ matrix.package }}-${{ matrix.name }}-sbom.spdx.json"
+          output-file: "${{ matrix.package }}-${{ matrix.name }}-sbom.spdx.json"
+      - uses: actions/attest-sbom@v1
+        with:
+          subject-path: |
+            !target/${{ matrix.target }}/release/*.pdb
+            !target/${{ matrix.target }}/release/*.d
+            !target/${{ matrix.target }}/release/deps
+            !target/${{ matrix.target }}/release/build
+            !target/${{ matrix.target }}/release/.fingerprint
+            !target/${{ matrix.target }}/release/examples
+            !target/${{ matrix.target }}/release/incremental
+            !target/${{ matrix.target }}/release/.cargo-lock
+            target/${{ matrix.target }}/release/${{ matrix.package }}*(?<!\.d)
+          sbom-path: "${{ matrix.package }}-${{ matrix.name }}-sbom.spdx.json"
+          push-to-registry: false
       - name: Upload build artifact
         uses: actions/upload-artifact@v4
         with: