From 2e43fdca926b369239588b4a2e54920254493ee1 Mon Sep 17 00:00:00 2001
From: martincostello <martin@martincostello.com>
Date: Sat, 11 May 2024 15:02:00 +0100
Subject: [PATCH] Attest artifacts

- Attest the binaries and packages from the build artifacts.
- Ignore any `binlog` files.
---
 .github/workflows/build.yml | 13 +++++++++++++
 .gitignore                  |  1 +
 2 files changed, 14 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 793b0563..302b5437 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -36,6 +36,8 @@ jobs:
       dotnet-validate-version: ${{ steps.get-dotnet-validate-version.outputs.dotnet-validate-version }}
 
     permissions:
+      attestations: write
+      contents: read
       id-token: write
 
     strategy:
@@ -87,6 +89,17 @@ jobs:
         flags: ${{ matrix.os_name }}
         token: ${{ secrets.CODECOV_TOKEN }}
 
+    - name: Attest artifacts
+      uses: actions/attest-build-provenance@951c0c5f8e375ad4efad33405ab77f7ded2358e4 # v1.1.1
+      if: |
+        runner.os == 'Windows' &&
+        github.event.repository.fork == false &&
+        (github.ref_name == github.event.repository.default_branch || startsWith(github.ref, 'refs/tags/v'))
+      with:
+        subject-path: |
+          ./artifacts/bin/MartinCostello.Testing.AwsLambdaTestServer/release*/*.dll
+          ./artifacts/package/release/*
+
     - name: Publish artifacts
       uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       with:
diff --git a/.gitignore b/.gitignore
index bec9aae4..3a911eee 100644
--- a/.gitignore
+++ b/.gitignore
@@ -18,6 +18,7 @@ packages
 TestResults
 UpgradeLog*.htm
 UpgradeLog*.XML
+*.binlog
 *.coverage
 *.DotSettings
 *.log