From b616e75e964b43cc3ca7289cf609be00b45df0c6 Mon Sep 17 00:00:00 2001
From: Alex Zenla <alex@edera.dev>
Date: Sun, 2 Nov 2025 23:57:58 -0500
Subject: [PATCH] chore(workflows): release workflow should attest the efi
 artifacts

---
 .github/workflows/release.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e97938d..4362f53 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -20,6 +20,8 @@ jobs:
     name: release
     permissions:
       contents: write # Needed to upload release assets.
+      id-token: write # Needed for attestation.
+      attestations: write # Needed for attestations.
     runs-on: ubuntu-latest
     steps:
     - name: harden runner
@@ -39,6 +41,16 @@ jobs:
     - name: 'assemble artifacts'
       run: ./hack/assemble.sh
 
+    - name: 'attest sprout-x86_64.efi artifact'
+      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+      with:
+        subject-path: target/assemble/sprout-x86_64.efi
+
+    - name: 'attest sprout-aarch64.efi artifact'
+      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+      with:
+        subject-path: target/assemble/sprout-aarch64.efi
+
     - name: 'generate cultivator token'
       uses: actions/create-github-app-token@bf559f85448f9380bcfa2899dbdc01eb5b37be3a # v3.0.0-beta.2
       id: generate-token