diff --git a/.github/workflows/publish-rust.yml b/.github/workflows/publish-rust.yml index fc3c15d99..a8a7a82f1 100644 --- a/.github/workflows/publish-rust.yml +++ b/.github/workflows/publish-rust.yml @@ -207,13 +207,29 @@ jobs: name: Publish crate runs-on: ubuntu-latest needs: [format, clippy, detached-minimal-versions, semver, docsrs] + environment: prod permissions: contents: write + id-token: write + attestations: write steps: + - uses: actions/create-github-app-token@v2 + id: app-token + with: + app-id: ${{ vars.APP_ID }} + private-key: ${{ secrets.PRIVATE_KEY }} + + - name: Set git config + run: | + git config --global user.email "github-actions@github.com" + git config --global user.name "github-actions" + git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf https://github.com/ + env: + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} + - name: Git Checkout uses: actions/checkout@v4 with: - token: ${{ secrets.ANZA_TEAM_PAT }} fetch-depth: 0 # get the whole history for git-cliff - name: Setup Environment @@ -228,27 +244,16 @@ jobs: with: tool: cargo-release - - name: Ensure CARGO_REGISTRY_TOKEN variable is set - env: - token: ${{ secrets.CARGO_REGISTRY_TOKEN }} - if: ${{ env.token == '' }} - run: | - echo "The CARGO_REGISTRY_TOKEN secret variable is not set" - echo "Go to \"Settings\" -> \"Secrets and variables\" -> \"Actions\" -> \"New repository secret\"." - exit 1 - - - name: Set Git Author - run: | - git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" - git config --global user.name "github-actions[bot]" - - name: Rebase (in case any changes landed after) run: git pull --rebase origin + - uses: rust-lang/crates-io-auth-action@v1 + id: auth + - name: Publish Crate id: publish env: - CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} + CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }} run: | if [ "${{ inputs.level }}" == "version" ]; then LEVEL=${{ inputs.version }} @@ -264,6 +269,12 @@ jobs: ./scripts/publish-rust.sh "${{ inputs.package_path }}" $LEVEL "${{ inputs.dependent_version }}" $OPTIONS + - name: Generate SLSA provenance + if: github.event.inputs.dry_run != 'true' + uses: actions/attest-build-provenance@v3 + with: + subject-path: target/package/*.crate + - name: Generate a changelog if: github.event.inputs.create_release == 'true' uses: orhun/git-cliff-action@v4 @@ -280,3 +291,4 @@ jobs: with: tag: ${{ steps.publish.outputs.new_git_tag }} bodyFile: TEMP_CHANGELOG.md + token: ${{ steps.app-token.outputs.token }}