From 337d8c52c594d11d7259f0fe5af25216e268db13 Mon Sep 17 00:00:00 2001
From: Vishal Reddy Gurrala <vishalgurrala21@gmail.com>
Date: Sat, 3 Aug 2024 16:55:25 -0500
Subject: [PATCH 1/2] Update release job to generate artifacts attestation

Signed-off-by: Vishal Reddy Gurrala <vishalgurrala21@gmail.com>
---
 .github/workflows/release.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2abf24e90..35b41e433 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -17,6 +17,8 @@ env:
 
 permissions: # added using https://github.com/step-security/secure-workflows
   contents: read
+  id-token: write
+  attestations: write
 
 jobs:
   check:
@@ -131,6 +133,10 @@ jobs:
         with:
           name: release-tars-${{env.PLATFORM_CLEAN}}
           path: src/github.com/containerd/containerd/releases/*.tar.gz*
+      - name: Attest Artifacts
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: src/github.com/containerd/containerd/releases/release-tars-${{env.PLATFORM_CLEAN}}.tar.gz*
 
   release:
     name: Create containerd Release

From fc1637d16e6a59247548fdbf473087d520c98f18 Mon Sep 17 00:00:00 2001
From: Vishal Reddy Gurrala <vishalgurrala21@gmail.com>
Date: Mon, 5 Aug 2024 20:54:34 -0500
Subject: [PATCH 2/2] Attest artifacts in release workflow

Signed-off-by: Vishal Reddy Gurrala <vishalgurrala21@gmail.com>
---
 .github/workflows/release.yml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 35b41e433..db49df6c3 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -17,8 +17,6 @@ env:
 
 permissions: # added using https://github.com/step-security/secure-workflows
   contents: read
-  id-token: write
-  attestations: write
 
 jobs:
   check:
@@ -133,16 +131,14 @@ jobs:
         with:
           name: release-tars-${{env.PLATFORM_CLEAN}}
           path: src/github.com/containerd/containerd/releases/*.tar.gz*
-      - name: Attest Artifacts
-        uses: actions/attest-build-provenance@v1
-        with:
-          subject-path: src/github.com/containerd/containerd/releases/release-tars-${{env.PLATFORM_CLEAN}}.tar.gz*
 
   release:
     name: Create containerd Release
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
     permissions:
       contents: write
+      id-token: write
+      attestations: write
     runs-on: ubuntu-24.04
     timeout-minutes: 10
     needs: [build, check]
@@ -163,3 +159,7 @@ jobs:
           files: |
             builds/release-tars-**/*
           make_latest: false
+      - name: Attest Artifacts
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: ./builds/release-tars-**/*.tar.gz