From cc3e0cc4eed907280413fff78f4c3174b6e13199 Mon Sep 17 00:00:00 2001
From: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
Date: Wed, 22 Jan 2025 21:26:17 -0300
Subject: [PATCH] ci: provenance

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
---
 .github/workflows/release.yml | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9dd9e7e..78e22a5 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,12 +8,13 @@ name: release
 on:
   push:
     tags:
-      - 'v*'
+      - "v*"
 
 permissions:
-   contents: write # needed to write releases
-   id-token: write # needed for keyless signing
-   packages: write # needed for ghcr access
+  contents: write # needed to write releases
+  id-token: write # needed for keyless signing
+  packages: write # needed for ghcr access
+  attestations: write # needed for provenance
 
 jobs:
   release:
@@ -26,16 +27,19 @@ jobs:
         with:
           go-version: 1.19
           cache: true
-      - uses: sigstore/cosign-installer@v3.7.0         # installs cosign
+      - uses: sigstore/cosign-installer@v3.7.0 # installs cosign
       - uses: anchore/sbom-action/download-syft@v0.17.9 # installs syft
-      - uses: docker/login-action@v3                   # login to ghcr
+      - uses: docker/login-action@v3 # login to ghcr
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: goreleaser/goreleaser-action@v6          # run goreleaser
+      - uses: goreleaser/goreleaser-action@v6 # run goreleaser
         with:
           version: latest
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions/attest-build-provenance@v2
+        with:
+          subject-checksums: ./dist/checksums.txt