From ef8470cf66b10ca09a2a14570c986e8069295012 Mon Sep 17 00:00:00 2001
From: Charlie <31941002+CharlieMc0@users.noreply.github.com>
Date: Thu, 27 Jun 2024 12:08:15 -0500
Subject: [PATCH] ci: enable artifact attenstations (#2388)

* updated

* Testing

* Testing

* Testing

* Testing

* Testing

* Testing

* Testing

* Testing

* Testing

* Testing

* Testing

* enable all binaries

* enable all binaries

* Testing

* Testing

* Testing

* Testing

* Testing

* enable all binaries

* cleanup from testing

* cleanup from testing

* test default token

* test default token

* changed back to default token

* updated changelog

---------

Co-authored-by: Grant Zukel <grant.zukel@gmail.com>
Co-authored-by: Alex Gartner <alexg@zetachain.com>
---
 .github/workflows/docker-build-and-push.yml |  4 ++--
 .github/workflows/publish-release.yml       | 24 +++++++++++++++++++--
 .goreleaser.yaml                            |  1 -
 changelog.md                                |  2 +-
 4 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/docker-build-and-push.yml b/.github/workflows/docker-build-and-push.yml
index 95ca015953..c2def3200d 100644
--- a/.github/workflows/docker-build-and-push.yml
+++ b/.github/workflows/docker-build-and-push.yml
@@ -30,7 +30,7 @@ jobs:
           fetch-depth: 0
 
       - name: Set Version from the release title.
-        if: github.event_name != 'workflow_dispatch'
+        if: github.event_name == 'workflow_dispatch'
         run: |
           echo "GITHUB_TAG_MAJOR_VERSION=${{ github.event.release.name }}" >> $GITHUB_ENV
 
@@ -62,7 +62,7 @@ jobs:
           fetch-depth: 0
 
       - name: Set Version from the release title.
-        if: github.event_name != 'workflow_dispatch'
+        if: github.event_name == 'workflow_dispatch'
         run: |
           echo "GITHUB_TAG_MAJOR_VERSION=${{ github.event.release.name }}" >> $GITHUB_ENV
 
diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
index 7eded17252..97dc97aa9a 100644
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -425,6 +425,10 @@ jobs:
           echo "continue"
 
   publish-release:
+    permissions:
+      id-token: write
+      contents: write
+      attestations: write
     if: ${{ github.event.inputs.skip_release == 'false' }}
     needs:
       - gosec
@@ -495,18 +499,34 @@ jobs:
         uses: softprops/action-gh-release@v1
         with:
           prerelease: true
-          token: ${{ secrets.PAT_GITHUB_SERVICE_ACCT }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           body_path: ${{ github.workspace }}-CHANGELOG.txt
           tag_name: ${{ env.GITHUB_TAG_MAJOR_VERSION }}
 
       - name: Publish Release Files
         env:
-          GITHUB_TOKEN: ${{ secrets.PAT_GITHUB_SERVICE_ACCT }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GORELEASER_CURRENT_TAG: ${{ env.GITHUB_TAG_MAJOR_VERSION }}
         run: |
           touch .release-env
           make release
 
+      - name: Artifact Attestations
+        id: attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: |
+            dist/zetacored_**/*
+            dist/zetaclientd_**/*
+            dist/checksums.txt
+
+      - name: Upload Attestation Bundle
+        env: 
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        shell: bash 
+        run: | 
+          gh release upload ${{ env.GITHUB_TAG_MAJOR_VERSION }} ${{ steps.attestation.outputs.bundle-path }}
+
       - name: Clean Up Workspace
         if: always()
         shell: bash
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 16541f2291..7291e57a08 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -6,7 +6,6 @@
 # - Add SBOMs
 # - Add Docker Builds
 # - SLSA - https://github.com/goreleaser/goreleaser-example-slsa-provenance
-# - Add Code Signing
 
 env:
   - CGO_ENABLED=1
diff --git a/changelog.md b/changelog.md
index 1a7d568bd3..a16cd90d2d 100644
--- a/changelog.md
+++ b/changelog.md
@@ -88,7 +88,7 @@
 * [2382](https://github.com/zeta-chain/node/pull/2382) - add tx input and gas in rpc methods for synthetic eth txs
 
 ### CI
-
+* [2388](https://github.com/zeta-chain/node/pull/2388) - added GitHub attestations of binaries produced in the release workflow. 
 * [2285](https://github.com/zeta-chain/node/pull/2285) - added nightly EVM performance testing pipeline, modified localnet testing docker image to utilitze debian:bookworm, removed build-jet runners where applicable, removed deprecated/removed upgrade path testing pipeline
 * [2268](https://github.com/zeta-chain/node/pull/2268) - updated the publish-release pipeline to utilize the Github Actions Ubuntu 20.04 Runners
 * [2070](https://github.com/zeta-chain/node/pull/2070) - Added commands to build binaries from the working branch as a live full node rpc to test non-governance changes