Summary
Both publish workflows build and ship a VSIX but do not generate a provenance attestation. Adding actions/attest-build-provenance gives users cryptographic proof that a given .vsix was produced by this repo's CI — closes the last supply-chain gap identified in the security posture audit.
Background
A security posture review confirmed:
marketplace-publish.yml — builds VSIX at "Package extension" step (pnpm --filter ./src vsix), output at bin/zoo-code-<version>.vsix
nightly-publish.yml — builds VSIX at "Package pre-release VSIX" step (vsce package --pre-release), output at bin/zoo-code-<version>.vsix
Neither workflow currently calls actions/attest-build-provenance.
Changes required
1. marketplace-publish.yml — publish-stable job
Add id-token: write and attestations: write to the job-level permissions block (currently only has contents: write), then insert an attestation step immediately after "Package extension" and before "Validate packaged manifest identity":
- name: Attest VSIX provenance
uses: actions/attest-build-provenance@v2
with:
subject-path: |
bin/zoo-code-${{ steps.version.outputs.number }}.vsix
Note: the stable workflow derives the version inline via node -p rather than a named step output. Either capture it as a step output first, or use a glob: subject-path: 'bin/*.vsix'.
2. nightly-publish.yml — publish-prerelease job
The top-level permissions block currently has only contents: read. Add the two new permissions there (or at job level), then insert an attestation step after "Validate packaged manifest identity" and before "Publish pre-release to VS Code Marketplace":
- name: Attest pre-release VSIX provenance
uses: actions/attest-build-provenance@v2
with:
subject-path: bin/zoo-code-${{ steps.version.outputs.number }}.vsix
The steps.version.outputs.number reference is already available in that job.
Acceptance criteria
Summary
Both publish workflows build and ship a VSIX but do not generate a provenance attestation. Adding
actions/attest-build-provenancegives users cryptographic proof that a given.vsixwas produced by this repo's CI — closes the last supply-chain gap identified in the security posture audit.Background
A security posture review confirmed:
marketplace-publish.yml— builds VSIX at "Package extension" step (pnpm --filter ./src vsix), output atbin/zoo-code-<version>.vsixnightly-publish.yml— builds VSIX at "Package pre-release VSIX" step (vsce package --pre-release), output atbin/zoo-code-<version>.vsixNeither workflow currently calls
actions/attest-build-provenance.Changes required
1.
marketplace-publish.yml—publish-stablejobAdd
id-token: writeandattestations: writeto the job-levelpermissionsblock (currently only hascontents: write), then insert an attestation step immediately after "Package extension" and before "Validate packaged manifest identity":2.
nightly-publish.yml—publish-prereleasejobThe top-level
permissionsblock currently has onlycontents: read. Add the two new permissions there (or at job level), then insert an attestation step after "Validate packaged manifest identity" and before "Publish pre-release to VS Code Marketplace":The
steps.version.outputs.numberreference is already available in that job.Acceptance criteria
gh attestation verify bin/zoo-code-<version>.vsix --repo Zoo-Code-Org/Zoo-Codeexits 0