From 27e554cef08ddd72f26ccaf4dfe50eeba594d98f Mon Sep 17 00:00:00 2001 From: Benjamin Michaelis Date: Fri, 22 May 2026 17:37:36 -0700 Subject: [PATCH] ci: add best-effort NuGet package attestation Add actions/attest@v4 to the deploy job for generated .nupkg files and grant required attestations permissions. Keep release behavior unchanged by making attestation non-blocking with continue-on-error. --- .github/workflows/deploy.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 9eba158..22f962a 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -54,6 +54,8 @@ jobs: id-token: write # Required for OIDC token (NuGet trusted publishing) contents: read actions: read # Required for actions/download-artifact + attestations: write + artifact-metadata: write steps: - name: Download artifact from build job @@ -67,6 +69,12 @@ jobs: with: user: ${{ secrets.NUGET_USER }} # nuget.org profile name (NOT email) + - name: Attest NuGet packages (best effort) + continue-on-error: true + uses: actions/attest@v4 + with: + subject-path: '${{ github.workspace }}/*.nupkg' + - name: Push NuGet run: | $tagVersion = "${{ github.ref }}".substring(11)