From 3b6e76e7f148d847985ab325e69cf8c242f316ee Mon Sep 17 00:00:00 2001
From: Facundo Tuesca <facundo.tuesca@trailofbits.com>
Date: Wed, 20 Nov 2024 23:01:55 +0100
Subject: [PATCH] Generate GHA attestations during release (#37)

---
 .../.github/workflows/release.yml             | 20 ++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/{{cookiecutter.project_slug}}/.github/workflows/release.yml b/{{cookiecutter.project_slug}}/.github/workflows/release.yml
index aa77ca0..3b9fcdc 100644
--- a/{{cookiecutter.project_slug}}/.github/workflows/release.yml
+++ b/{{cookiecutter.project_slug}}/.github/workflows/release.yml
@@ -29,13 +29,31 @@ jobs:
         name: distributions
         path: dist/
 
+  generate-provenance:
+    name: Generate SLSA provenance for distributions
+    runs-on: ubuntu-latest
+    needs: [build]
+    permissions:
+      id-token: write # To sign the provenance.
+      attestations: write # To persist the attestation files.
+    steps:
+      - name: Download distributions
+        uses: actions/download-artifact@v4
+        with:
+          name: distributions
+          path: dist/
+      - name: Generate build provenance
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: 'dist/*'
+
   publish:
     name: Publish Python distributions to PyPI
     runs-on: ubuntu-latest
     environment:
       name: pypi
       url: https://pypi.org/p/{{cookiecutter.project_slug}}
-    needs: [build]
+    needs: [build, generate-provenance]
     permissions:
       # Used to sign the release's artifacts with sigstore-python.
       # Used to publish to PyPI with Trusted Publishing.