From 33e1eb4f4da71834a16ecdb606825facb8ad8dd2 Mon Sep 17 00:00:00 2001
From: Pavel Boldyrev <627562+bpg@users.noreply.github.com>
Date: Thu, 20 Mar 2025 22:08:30 -0400
Subject: [PATCH] chore(ci): enable attestation (#1841)

Signed-off-by: Pavel Boldyrev <627562+bpg@users.noreply.github.com>
---
 .github/workflows/publish.yml | 14 +++++++++++++-
 .goreleaser.yaml              |  2 +-
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 1b66a553..8d385f91 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -13,6 +13,11 @@ on:
     tags:
       - "v*"
 
+permissions:
+  id-token: write
+  contents: read
+  attestations: write
+
 jobs:
   goreleaser:
     runs-on: ubuntu-24.04
@@ -41,8 +46,15 @@ jobs:
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3 # v6.2.1
         with:
-          version: latest
+          version: '~> v2'
           args: release --clean
         env:
           GPG_FINGERPRINT: "${{ steps.import_gpg.outputs.fingerprint }}"
           GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
+
+      - name: Attest
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: ./dist/*.zip
+        env:
+          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index d25784d5..04d1bde3 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -21,7 +21,7 @@ builds:
         goarch: '386'
     binary: '{{ .ProjectName }}_v{{ .Version }}'
 archives:
-  - format: zip
+  - formats: [ 'zip' ]
     name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}'
 checksum:
   extra_files: