From d6c2f59b27a205704b54f0e361928c802aeaf9b2 Mon Sep 17 00:00:00 2001
From: Roberto Tyley <52038+rtyley@users.noreply.github.com>
Date: Wed, 27 Nov 2024 14:46:36 +0000
Subject: [PATCH] See
 https://github.com/guardian/gha-scala-library-release-workflow/issues/38

---
 .github/workflows/reusable-release.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/reusable-release.yml b/.github/workflows/reusable-release.yml
index 64ce2b4..2bedd8f 100644
--- a/.github/workflows/reusable-release.yml
+++ b/.github/workflows/reusable-release.yml
@@ -298,6 +298,9 @@ jobs:
   sign:
     name: 🔒 Sign
     needs: [init, push-release-commit, create-artifacts]
+    permissions:
+      id-token: write
+      attestations: write
     runs-on: ubuntu-latest
     env:
       KEY_FINGERPRINT: ${{ needs.init.outputs.key_fingerprint }}
@@ -334,6 +337,9 @@ jobs:
             echo "::error title=Artifact hash verification failed::Artifacts for signing don't match the hash values recorded when they were generated."
             exit 1
           fi
+      - uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: '${{ env.LOCAL_ARTIFACTS_STAGING_PATH }}/**/*.jar'
       - uses: actions/setup-java@v4
         with:
           distribution: corretto