Skip release attestation for private repo

iFurySt · web-flow · commit 1c1582d6f0a9 · 2026-05-08T21:17:30.000+08:00
Skips GitHub artifact attestation on private repositories and documents the limitation.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -78,6 +78,7 @@ jobs:
             dist/sbom.spdx.json
 
       - name: 生成 build provenance
+        if: ${{ !github.event.repository.private }}
         uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
         with:
           subject-path: |
diff --git a/docs/SUPPLY_CHAIN_SECURITY.md b/docs/SUPPLY_CHAIN_SECURITY.md
@@ -23,8 +23,9 @@
 - Dependency Review 在 public repo 可以直接使用；private repo 通常需要 GitHub Advanced Security 或对应的代码安全能力。
 - OSV 和 SBOM 的效果依赖仓库里存在可识别的依赖清单或 lockfile。
 - `scripts/release-package.sh` 当前会产出 Chrome extension zip，并把它纳入
-  release provenance；后续新增 native host 二进制发布时，也要把对应制品纳入
-  同一套 attestation。
+  release provenance；user-owned private repository 不支持 GitHub artifact
+  attestation，release workflow 会在 private repo 下跳过 provenance。
+  后续新增 native host 二进制发布时，也要把对应制品纳入同一套 attestation。
 - OpenSSF Scorecard 默认不启用，因为新模板仓库还没有真实分支保护、release 历史和 SAST 姿态可以评分；等仓库规则配置完成后再按需加回。
 
 ## 项目落地后建议继续做的事
diff --git a/docs/histories/2026-05/20260508-2105-chrome-web-store-release.md b/docs/histories/2026-05/20260508-2105-chrome-web-store-release.md
@@ -33,6 +33,8 @@
 - **[CI Green]**: Adjusted Markdown lint for accumulated history docs, skipped
   Dependency Review on private repositories that do not support it, and bumped
   Go/Electron versions away from OSV-reported vulnerable baselines.
+- **[Private Release]**: Skipped GitHub artifact attestation for user-owned
+  private repositories, where GitHub does not expose that feature.
 
 ### Design Intent
 
