From e0feee7bb8653379356fdc01bd405519b4859dd8 Mon Sep 17 00:00:00 2001
From: James Rich <2199651+jamesarich@users.noreply.github.com>
Date: Mon, 11 Aug 2025 11:01:54 -0500
Subject: [PATCH] ci: add build provenance attestation (#2685)

Signed-off-by: James Rich <2199651+jamesarich@users.noreply.github.com>
---
 .github/workflows/release.yml                | 12 ++++++++++++
 .github/workflows/reusable-android-build.yml | 13 +++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 627ed35fa..a163cec9b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -168,6 +168,10 @@ jobs:
   create-github-release:
     needs: [ prepare-release-info, build-fdroid, build-google ]
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
     # Only run this job if the input create_github_release is true
     if: github.repository == 'meshtastic/Meshtastic-Android' && github.event.inputs.create_github_release == 'true'
     steps:
@@ -260,3 +264,11 @@ jobs:
           asset_path: ./version_info.txt
           asset_name: version_info.txt
           asset_content_type: text/plain
+
+      - name: Attest Build Provenance
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: |
+            ./google-apk-download/app-google-release.apk
+            ./google-aab-download/app-google-release.aab
+            ./fdroid-apk-download/app-fdroid-release.apk
diff --git a/.github/workflows/reusable-android-build.yml b/.github/workflows/reusable-android-build.yml
index 2b239b2eb..232602d99 100644
--- a/.github/workflows/reusable-android-build.yml
+++ b/.github/workflows/reusable-android-build.yml
@@ -19,6 +19,10 @@ on:
 jobs:
   build_and_detekt:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
     timeout-minutes: 35
     env:
       DATADOG_APPLICATION_ID: ${{ secrets.DATADOG_APPLICATION_ID }}
@@ -79,6 +83,15 @@ jobs:
           name: googleDebug
           path: app/build/outputs/apk/google/debug/app-google-debug.apk
           retention-days: 14
+
+      - name: Attest Build Provenance
+        if: ${{ inputs.upload_artifacts && github.ref_name == 'main' && github.repository == 'meshtastic/Meshtastic-Android' }}
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: |
+            app/build/outputs/apk/google/debug/app-google-debug.apk
+            app/build/outputs/apk/fdroid/debug/app-fdroid-debug.apk
+
       - name: Upload reports
         if: ${{ inputs.upload_artifacts }}
         uses: actions/upload-artifact@v4