Add uv release artifact attestations (#11357)

## Summary Similar to https://github.com/astral-sh/uv/pull/8685, this adds attestations for uv release artifacts. The changes on this PR would add attestations for * `dist-manifest.json` * `uv-installer.ps1` * `uv-installer.sh` * All `*.tar.gz` and `*.zip` uv binary files ## Test Plan ~(clarifying note: I'm aware this file is managed cargo dist and this will not work without allow-dirty at this time)~ ~Currently cargo dist targets generation in `build_local_artifacts` which is not used here, plus we'd ideally want to attest the GH downloads / artifacts.~ (edit: fixed by https://github.com/axodotdev/cargo-dist/pull/2000) At a glance, this release workflow seems to work successfully: e.g. Example Run: https://github.com/samypr100/uv/actions/runs/13229100555 e.g. Example Release: https://github.com/samypr100/uv/releases/tag/0.5.29 --------- Co-authored-by: Aria Desires <aria.desires@gmail.com>
2025-10-29 20:33:37 -04:00 · 2025-10-29 20:33:37 -04:00 · f3d3203734
parent 2652244655
commit f3d3203734
2 changed files with 23 additions and 4 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -68,7 +68,7 @@ jobs:
        # we specify bash to get pipefail; it guards against the `curl` command
        # failing. otherwise `sh` won't catch that `curl` returned non-0
        shell: bash
-        run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/axodotdev/cargo-dist/releases/download/v0.30.0/cargo-dist-installer.sh | sh"
+        run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/axodotdev/cargo-dist/releases/download/v0.30.1/cargo-dist-installer.sh | sh"
      - name: Cache dist
        uses: actions/upload-artifact@6027e3dd177782cd8ab9af838c04fd81a07f1d47
        with:
@ -168,13 +168,17 @@ jobs:
      - custom-build-binaries
      - custom-build-docker
      - build-global-artifacts
-    # Only run if we're "publishing", and only if local and global didn't fail (skipped is fine)
-    if: ${{ always() && needs.plan.outputs.publishing == 'true' && (needs.build-global-artifacts.result == 'skipped' || needs.build-global-artifacts.result == 'success') && (needs.custom-build-binaries.result == 'skipped' || needs.custom-build-binaries.result == 'success') && (needs.custom-build-docker.result == 'skipped' || needs.custom-build-docker.result == 'success') }}
+    # Only run if we're "publishing", and only if plan, local and global didn't fail (skipped is fine)
+    if: ${{ always() && needs.plan.result == 'success' && needs.plan.outputs.publishing == 'true' && (needs.build-global-artifacts.result == 'skipped' || needs.build-global-artifacts.result == 'success') && (needs.custom-build-binaries.result == 'skipped' || needs.custom-build-binaries.result == 'success') && (needs.custom-build-docker.result == 'skipped' || needs.custom-build-docker.result == 'success') }}
    env:
      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    runs-on: "depot-ubuntu-latest-4"
    outputs:
      val: ${{ steps.host.outputs.manifest }}
+    permissions:
+      "attestations": "write"
+      "contents": "write"
+      "id-token": "write"
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
        with:
@ -251,6 +255,15 @@ jobs:
        run: |
          # Remove the granular manifests
          rm -f artifacts/*-dist-manifest.json
+      - name: Attest
+        uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2
+        with:
+          subject-path: |
+            artifacts/*.json
+            artifacts/*.sh
+            artifacts/*.ps1
+            artifacts/*.zip
+            artifacts/*.tar.gz
      - name: Create GitHub Release
        env:
          PRERELEASE_FLAG: "${{ fromJson(needs.host.outputs.val).announcement_is_prerelease && '--prerelease' || '' }}"
--- a/dist-workspace.toml
+++ b/dist-workspace.toml
@ -4,7 +4,7 @@ members = ["cargo:."]
 # Config for 'dist'
 [dist]
 # The preferred dist version to use in CI (Cargo.toml SemVer syntax)
-cargo-dist-version = "0.30.0"
+cargo-dist-version = "0.30.1"
 # Whether to consider the binaries in a package for distribution (defaults true)
 dist = false
 # CI backends to support
@ -46,6 +46,12 @@ pr-run-mode = "plan"
 dispatch-releases = true
 # Which phase dist should use to create the GitHub release
 github-release = "announce"
+# Whether to enable GitHub Attestations
+github-attestations = true
+# When to generate GitHub Attestations
+github-attestations-phase = "host"
+# Patterns to attest when creating attestations for release artifacts
+github-attestations-filters = ["*.json", "*.sh", "*.ps1", "*.zip", "*.tar.gz"]
 # Whether CI should include auto-generated code to build local artifacts
 build-local-artifacts = false
 # Local artifacts jobs to run in CI