chore: add attest to ci workflow (#29)

saidsef · Jun 23, 2024 · f55b571 · f55b571
1 parent 4556b5b
commit f55b571
Showing 1 changed file with 16 additions and 1 deletion.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -77,6 +77,21 @@ jobs:
           version: "latest"
           github_token: ${{ github.token }}
 
+  attest:
+    name: attest
+    runs-on: ubuntu-latest
+    needs: [tfsec]
+    permissions:
+      attestations: write
+      contents: read
+      id-token: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: '*.tf'
+
   caller-identity-check:
     if: contains(github.event_name, 'pull_request')
     name: Return the IAM user
@@ -98,7 +113,7 @@ jobs:
   auto-approve:
     if: contains(github.event_name, 'pull_request')
     runs-on: ubuntu-latest
-    needs: [validate, tfsec, caller-identity-check]
+    needs: [validate, tfsec, attest, caller-identity-check]
     steps:
     - name: Auto Approve PR
       uses: actions/github-script@v7