From dda9ce31420fb9333554b0ae5230d00d527652a8 Mon Sep 17 00:00:00 2001 From: Maxwell Elliott Date: Sun, 1 Mar 2026 07:56:06 -0500 Subject: [PATCH 1/2] BCR SLSA Implement attestation for BCR --- .github/workflows/ci.yaml | 12 ++++++++++++ .github/workflows/publish.yaml | 4 +++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 0aeee82d..7f4d87d1 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -145,6 +145,10 @@ jobs: deploy: needs: [test-jre21] runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + attestations: write strategy: matrix: java: [ '11' ] @@ -177,3 +181,11 @@ jobs: name: release.tar.gz path: archives/release.tar.gz if-no-files-found: error + - name: Attest deploy JAR provenance + uses: actions/attest-build-provenance@v2 + with: + subject-path: 'bazel-bin/cli/bazel-diff_deploy.jar' + - name: Attest source archive provenance + uses: actions/attest-build-provenance@v2 + with: + subject-path: 'archives/release.tar.gz' diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 2291f6c8..0df3793a 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -14,13 +14,15 @@ jobs: tag_name: ${{ inputs.tag_name }} # GitHub repository which is a fork of the upstream where the Pull Request will be opened. registry_fork: maxwellE/bazel-central-registry - attest: false + attest: true author_name: Maxwell Elliott author_email: maxwell@elliott.now committer_name: Maxwell Elliott committer_email: maxwell@elliott.now permissions: contents: write + id-token: write + attestations: write secrets: # Necessary to push to the BCR fork, and to open a pull request against a registry publish_token: ${{ secrets.BCR_PUBLISH_TOKEN }} From 02ca70876d92824f7f1fcb9ef14c9dec5a18a3ac Mon Sep 17 00:00:00 2001 From: Maxwell Elliott Date: Wed, 4 Mar 2026 11:52:57 -0500 Subject: [PATCH 2/2] version --- MODULE.bazel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MODULE.bazel b/MODULE.bazel index 7e3abd2a..35b8e858 100644 --- a/MODULE.bazel +++ b/MODULE.bazel @@ -1,6 +1,6 @@ module( name = "bazel-diff", - version = "17.0.1", + version = "17.0.2", compatibility_level = 0, )