From 1467a5429d5113c9860009c235b2bfac14dd3c99 Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Thu, 25 Jun 2026 09:11:57 +0100
Subject: [PATCH] feat(ci): attest build provenance

---
 .github/workflows/ci.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 95708f1..ab818a7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -231,6 +231,8 @@ jobs:
     needs: [build]
     permissions:
       contents: write
+      id-token: write
+      attestations: write
 
     steps:
     - name: Checkout code
@@ -263,6 +265,11 @@ jobs:
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+    - name: Attest build provenance
+      uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2
+      with:
+        subject-path: 'extension/*.vsix'
+
     # Uncomment when ready to publish to marketplace
     # - name: Publish to VS Code Marketplace
     #   run: |