Skip to content

feat: add build provenance attestation to publish workflows #781

Description

@edelauna

Summary

Both publish workflows build and ship a VSIX but do not generate a provenance attestation. Adding actions/attest-build-provenance gives users cryptographic proof that a given .vsix was produced by this repo's CI — closes the last supply-chain gap identified in the security posture audit.

Background

A security posture review confirmed:

  • marketplace-publish.yml — builds VSIX at "Package extension" step (pnpm --filter ./src vsix), output at bin/zoo-code-<version>.vsix
  • nightly-publish.yml — builds VSIX at "Package pre-release VSIX" step (vsce package --pre-release), output at bin/zoo-code-<version>.vsix

Neither workflow currently calls actions/attest-build-provenance.

Changes required

1. marketplace-publish.ymlpublish-stable job

Add id-token: write and attestations: write to the job-level permissions block (currently only has contents: write), then insert an attestation step immediately after "Package extension" and before "Validate packaged manifest identity":

- name: Attest VSIX provenance
  uses: actions/attest-build-provenance@v2
  with:
    subject-path: |
      bin/zoo-code-${{ steps.version.outputs.number }}.vsix

Note: the stable workflow derives the version inline via node -p rather than a named step output. Either capture it as a step output first, or use a glob: subject-path: 'bin/*.vsix'.

2. nightly-publish.ymlpublish-prerelease job

The top-level permissions block currently has only contents: read. Add the two new permissions there (or at job level), then insert an attestation step after "Validate packaged manifest identity" and before "Publish pre-release to VS Code Marketplace":

- name: Attest pre-release VSIX provenance
  uses: actions/attest-build-provenance@v2
  with:
    subject-path: bin/zoo-code-${{ steps.version.outputs.number }}.vsix

The steps.version.outputs.number reference is already available in that job.

Acceptance criteria

  • Both workflows produce a GitHub attestation artifact on each successful publish run
  • gh attestation verify bin/zoo-code-<version>.vsix --repo Zoo-Code-Org/Zoo-Code exits 0
  • No existing publish steps are broken

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions