Fix Release Artifact Signing

Author: maennchen

.github/workflows/part_release.yml

@@ -15,10 +15,8 @@ permissions:
   contents: read
 
 jobs:
-  create_prerelease:
-    name: Create Prerelease
-
-    if: ${{ !inputs.stable }}
+  create:
+    name: Create Release
 
     runs-on: ubuntu-latest
 
@@ -32,6 +30,7 @@ jobs:
           egress-policy: audit
 
       - name: Create prerelease
+        if: ${{ !inputs.stable }}
         env:
           GITHUB_TOKEN: ${{ github.token }}
         run: |
@@ -42,28 +41,54 @@ jobs:
             --generate-notes \
             ${{ inputs.releaseName }}
 
-  create_stable:
-    name: Create Stable
+      - name: Create release
+        if: ${{ inputs.stable }}
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          gh release create \
+            --repo ${{ github.repository }} \
+            --title ${{ inputs.releaseName }} \
+            --generate-notes \
+            ${{ inputs.releaseName }}
+
+  upload_release:
+    name: "Upload"
 
-    if: ${{ inputs.stable }}
+    needs: ["create"]
 
     runs-on: ubuntu-latest
 
     permissions:
+      id-token: write
       contents: write
+      attestations: write
 
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           egress-policy: audit
 
-      - name: Create release
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: docs
+          path: docs
+      - run: |
+          tar -czvf docs.tar.gz docs
+      - name: "Attest Documentation"
+        id: attestation
+        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
+        with:
+          subject-path: "docs.tar.gz"
+      - name: Copy Attestation
+        run: cp "$ATTESTATION" docs.tar.gz.sigstore
+        env:
+          ATTESTATION: "${{ steps.attestation.outputs.bundle-path }}"
+      - name: Upload
         env:
           GITHUB_TOKEN: ${{ github.token }}
         run: |
-          gh release create \
-            --repo ${{ github.repository }} \
-            --title ${{ inputs.releaseName }} \
-            --generate-notes \
-            ${{ inputs.releaseName }}
+          gh release upload --clobber "${{ github.ref_name }}" \
+            docs.tar.gz docs.tar.gz.sigstore

.github/workflows/tag-beta.yml

@@ -9,21 +9,21 @@ permissions:
   contents: read
 
 jobs:
+  docs:
+    name: "Docs"
+
+    uses: ./.github/workflows/part_docs.yml
+
   release:
     name: "Release"
 
+    needs: ["docs"]
+
     permissions:
+      id-token: write
       contents: write
+      attestations: write
 
     uses: ./.github/workflows/part_release.yml
     with:
       releaseName: "${{ github.ref_name }}"
-
-  docs:
-    name: "Docs"
-
-    needs: ["release"]
-
-    uses: ./.github/workflows/part_docs.yml
-    with:
-      releaseName: "${{ github.ref_name }}"

.github/workflows/tag-stable.yml

@@ -9,35 +9,33 @@ permissions:
   contents: read
 
 jobs:
+  docs:
+    name: "Docs"
+
+    uses: ./.github/workflows/part_docs.yml
+
   release:
     name: "Release"
 
+    needs: ["docs"]
+
     permissions:
+      id-token: write
       contents: write
+      attestations: write
 
     uses: ./.github/workflows/part_release.yml
     with:
       releaseName: "${{ github.ref_name }}"
       stable: true
 
-  docs:
-    name: "Docs"
-
-    needs: ["release"]
-
-    uses: ./.github/workflows/part_docs.yml
-    with:
-      releaseName: "${{ github.ref_name }}"
-
   deploy_pages:
     name: "Deploy to GitHub Pages"
 
     needs: ["release", "docs"]
 
     runs-on: ubuntu-latest
 
-    if: ${{ inputs.publishToPages }}
-
     permissions:
       pages: write
       id-token: write
@@ -55,39 +53,3 @@ jobs:
       - name: Deploy to GitHub Pages
         id: deployment
         uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
-
-  upload_release:
-    name: "Upload"
-
-    needs: ["release", "docs"]
-
-    runs-on: ubuntu-latest
-
-    if: ${{ inputs.releaseName }}
-
-    permissions:
-      contents: write
-      attestations: write
-
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
-      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
-        with:
-          name: docs
-          path: docs
-      - run: |
-          tar -czvf docs.tar.gz docs
-      - name: Upload
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-        run: |
-          gh release upload --clobber "${{ inputs.releaseName }}" \
-            docs.tar.gz
-      - name: "Attest Documentation"
-        uses: actions/attest@67422f5511b7ff725f4dbd6fb9bd2cd925c65a8d # v1.4.1
-        subject-path: "docs.tar.gz"