From 52338c20dfda76394fc555026c609bdae4b2b02f Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <hi@filippo.io>
Date: Sat, 27 Dec 2025 10:26:47 +0100
Subject: [PATCH] .github/workflows: enable GitHub artifact attestation

Closes #621

Co-authored-by: Helio Machado <0x2b3bfa0+git@googlemail.com>
---
 .github/workflows/build.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 61b922d..915187e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -68,11 +68,13 @@ jobs:
           name: age-binaries-${{ matrix.GOOS }}-${{ matrix.GOARCH }}
           path: age-*
   upload:
-    name: Upload release binaries
+    name: Upload and attest release binaries
     if: github.event_name == 'release'
     needs: build
     permissions:
       contents: write
+      attestations: write
+      id-token: write
     runs-on: ubuntu-latest
     steps:
       - name: Download workflow artifacts
@@ -80,6 +82,10 @@ jobs:
         with:
           pattern: age-binaries-*
           merge-multiple: true
+      - name: Generate artifacts attestation
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-path: age-*
       - name: Upload release artifacts
         run: gh release upload "$GITHUB_REF_NAME" age-*
         env: