From c358b917d6b0975e896db83e9907763b3817ea8b Mon Sep 17 00:00:00 2001
From: HuangTao <16779242@qq.com>
Date: Sun, 12 Apr 2026 17:50:44 +0800
Subject: [PATCH] =?UTF-8?q?=E4=B8=BA=E9=A1=B9=E7=9B=AE=E6=B7=BB=E5=8A=A0?=
 =?UTF-8?q?=20github=20=E7=9A=84=20Provenance=20=E6=9C=BA=E5=88=B6=20(#663?=
 =?UTF-8?q?3)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* ci: add github provenance attestations

* ci: disable updater metadata in dev workflow

* ci: add provenance smoke test workflow

* build: fallback to alpha release assets api

* ci: remove signing env from dev workflow

* ci: disable updater artifacts in linux dev validation

* ci: support alpha manual trigger tag input

* ci: remove provenance validation scaffolding

* ci: drop redundant provenance job permissions

* ci: limit provenance to release workflow
---
 .github/workflows/release.yml | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 46b04db9b..6c18c6685 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -240,6 +240,26 @@ jobs:
           args: --target ${{ matrix.target }}
           includeUpdaterJson: true
 
+      - name: Attest Windows bundles
+        if: matrix.os == 'windows-latest'
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-path: target/${{ matrix.target }}/release/bundle/nsis/*setup*
+
+      - name: Attest macOS bundles
+        if: matrix.os == 'macos-latest'
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-path: target/${{ matrix.target }}/release/bundle/dmg/*.dmg
+
+      - name: Attest Linux bundles
+        if: matrix.os == 'ubuntu-22.04'
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-path: |
+            target/${{ matrix.target }}/release/bundle/deb/*.deb
+            target/${{ matrix.target }}/release/bundle/rpm/*.rpm
+
   release-for-linux-arm:
     name: Release Build for Linux ARM
     needs: [check_tag_version]
@@ -367,6 +387,13 @@ jobs:
           echo "VERSION=$(cat package.json | jq '.version' | tr -d '"')" >> $GITHUB_ENV
           echo "BUILDTIME=$(TZ=Asia/Shanghai date)" >> $GITHUB_ENV
 
+      - name: Attest Linux bundles
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-path: |
+            target/${{ matrix.target }}/release/bundle/deb/*.deb
+            target/${{ matrix.target }}/release/bundle/rpm/*.rpm
+
       - name: Upload Release
         uses: softprops/action-gh-release@v2
         with:
@@ -478,6 +505,11 @@ jobs:
             Rename-Item $file.FullName $newName
           }
 
+      - name: Attest Windows bundles
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-path: target/${{ matrix.target }}/release/bundle/nsis/*setup*
+
       - name: Upload Release
         uses: softprops/action-gh-release@v2
         with: