diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 926dee5..d5e1d35 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -28,8 +28,13 @@ jobs: runs-on: ubuntu-latest + permissions: + attestations: write + id-token: write + contents: write + steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Build all run: | mkdir build @@ -57,6 +62,14 @@ jobs: cd build sudo make package cd - + - name: Attest Build Provenance + if: ${{ github.event_name == 'release' }} + uses: actions/attest-build-provenance@v1.1.0 + with: + subject-path: | + build/disasmtool/disasmtool + build/*.a + build/*.deb - name: Release if: ${{ github.event_name == 'release' }} uses: AButler/upload-release-assets@v2.0.2 @@ -68,10 +81,15 @@ jobs: runs-on: windows-latest + permissions: + attestations: write + id-token: write + contents: write + steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Add msbuild to PATH - uses: microsoft/setup-msbuild@v1.3 + uses: microsoft/setup-msbuild@v2 - name: Setup Windows SDK uses: fbactions/setup-winsdk@v1 with: @@ -91,6 +109,13 @@ jobs: del bin\Win32\Release\*.ipdb tar.exe -acf x64-windows-release.zip bin\x64\Release tar.exe -acf x86-windows-release.zip bin\Win32\Release + - name: Attest Build Provenance + if: ${{ github.event_name == 'release' }} + uses: actions/attest-build-provenance@v1.1.0 + with: + subject-path: | + bin\**\Release\* + *-windows-release.zip - name: Release if: ${{ github.event_name == 'release' }} uses: AButler/upload-release-assets@v2.0.2 @@ -104,9 +129,9 @@ jobs: permissions: read-all steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Add msbuild to PATH - uses: microsoft/setup-msbuild@v1.3 + uses: microsoft/setup-msbuild@v2 - uses: ilammy/msvc-dev-cmd@v1 - uses: seanmiddleditch/gha-setup-ninja@master - name: Build all @@ -122,7 +147,7 @@ jobs: runs-on: macos-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Build all run: | mkdir build @@ -137,7 +162,7 @@ jobs: permissions: read-all steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Install cppcheck run: sudo apt install -y cppcheck - name: Run cppcheck diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index 1c90121..5dca5d4 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -20,7 +20,7 @@ jobs: permissions: read-all steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: Set LIBCLANG_PATH run: echo "LIBCLANG_PATH=$((gcm clang).source -replace "clang.exe")" >> $env:GITHUB_ENV if: matrix.os == 'windows-latest' diff --git a/README.md b/README.md index 75f6e74..9e4b14b 100644 --- a/README.md +++ b/README.md @@ -159,6 +159,23 @@ The results will be in the bin directory in the root of the repository. [nd_vsnprintf_s and nd_memset](#nd_vsnprintf_s-and-nd_memset) will not be defined by `bddisasm`, integrators must provide these functions. +## Using pre-compiled binaries + +Each release publishes static libraries, as well as the `disasmtool` CLI tool. + +You can verify these artifacts using [GitHub Artifact Attestation](https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/): + +```console +# Verify a component +$ gh attestation verify disasmtool -o bitdefender +# Or the entire bundle +$ gh attestation verify x86-windows-release.zip -o bitdefender +``` + +This is not available for bddisasm 2.1.4 or older. + +Note that this is currently a beta feature (see [Introducing Artifact Attestations–now in public beta](https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/) for details). + ## Decoding x86 instructions ### Decoding API