Sharing a Github Action I’m using to automate artifact attestation for plugin releases
This automates a new release on tag push, which builds and attests the artifacts main.js, manifest.json and styles.css, helping users build trust in your releases
#.github/workflows/release.yml
name: Build and Release Obsidian Plugin
on:
push:
tags:
- "*" # Triggers when you push a tag (e.g., 1.0.1)
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: write # Needed to create the GitHub Release
id-token: write # Needed to mint OIDC token for Sigstore
attestations: write # Needed to publish the attestation
steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: "lts/*"
cache: "npm" # Speeds up subsequent runs
- name: Install Dependencies
run: npm ci
- name: Build Plugin
run: npm run build
- name: Attest Plugin Artifacts
uses: actions/attest-build-provenance@v1
with:
subject-path: |
main.js
manifest.json
styles.css
- name: Create GitHub Release
uses: softprops/action-gh-release@v2
with:
generate_release_notes: true # Delete this line to prevent automated release notes
files: |
main.js
manifest.json
styles.css
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Release flow
## Release Process
1. Update Versions
- Update version in manifest.json and package.json.
2. Commit and Push
git add .
git commit -m "release: v1.x.x"
git push origin main
3. Tag and Trigger
git tag 1.x.x
git push origin 1.x.x
4. Finalize
- Check GitHub Actions tab for success.
- Edit the new GitHub Release to add notes.
## Troubleshooting
To delete a failed tag and retry:
git push --delete origin 1.x.x
git tag -d 1.x.x
