From 3484bda553eae902f3b08cf25bddfcaa1ccc7402 Mon Sep 17 00:00:00 2001
From: Nuno Cruces <ncruces@users.noreply.github.com>
Date: Fri, 21 Jun 2024 14:53:36 +0100
Subject: [PATCH] Attestations.

---
 .github/workflows/repro.sh  | 13 ++++++++++---
 .github/workflows/repro.yml | 12 ++++++++++++
 embed/README.md             |  5 ++++-
 3 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/repro.sh b/.github/workflows/repro.sh
index fef0e022..852877ee 100755
--- a/.github/workflows/repro.sh
+++ b/.github/workflows/repro.sh
@@ -18,6 +18,13 @@ mkdir -p tools/
 [ -d "tools/binaryen-version"* ] || curl -#L "$BINARYEN" | tar xzC tools &
 wait
 
-sqlite3/download.sh   # Download SQLite
-embed/build.sh        # Build Wasm
-git diff --exit-code  # Check diffs
\ No newline at end of file
+# Download and build SQLite
+sqlite3/download.sh
+embed/build.sh
+
+# Download and build sqlite-createtable-parser
+util/vtabutil/parse/download.sh
+util/vtabutil/parse/build.sh
+
+# Check diffs
+git diff --exit-code 
\ No newline at end of file
diff --git a/.github/workflows/repro.yml b/.github/workflows/repro.yml
index 1f802750..b249d1cd 100644
--- a/.github/workflows/repro.yml
+++ b/.github/workflows/repro.yml
@@ -3,6 +3,11 @@ name: Reproducible build
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+  id-token: write
+  attestations: write
+
 jobs:
   build:
     strategy:
@@ -17,3 +22,10 @@ jobs:
 
     - name: Build
       run: .github/workflows/repro.sh
+
+    - uses: actions/attest-build-provenance@v1
+      if: matrix.os == 'ubuntu-latest'
+      with:
+        subject-path: |
+          embed/sqlite3.wasm
+          util/vtabutil/parse/sql3parse_table.wasm
\ No newline at end of file
diff --git a/embed/README.md b/embed/README.md
index 400fe870..0156f017 100644
--- a/embed/README.md
+++ b/embed/README.md
@@ -24,4 +24,7 @@ See the [configuration options](../sqlite3/sqlite_cfg.h),
 and [patches](../sqlite3) applied.
 
 Built using [`wasi-sdk`](https://github.com/WebAssembly/wasi-sdk),
-and [`binaryen`](https://github.com/WebAssembly/binaryen).
\ No newline at end of file
+and [`binaryen`](https://github.com/WebAssembly/binaryen).
+
+The build is easily reproducible, and verifiable, using
+[Artifact Attestations](https://github.com/ncruces/go-sqlite3/attestations).
\ No newline at end of file