Do not generate provenance on PR builds

It does not make sense to do so; nor do PR submitters have permission to do so. We can't write attestations to `php/pie` in an unprivileged context, otherwise anyone could send a PR with malicious code, store attestation that `php/pie` built the PHAR, and it would look genuine.
php · Nov 27, 2024 · 41a9bd4 · 41a9bd4
1 parent 8156273
commit 41a9bd4
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/.github/workflows/build-phar.yml b/.github/workflows/build-phar.yml
@@ -48,6 +48,12 @@ jobs:
       - name: Check the PHAR executes
         run: php pie.phar --version
       - name: Generate build provenance attestation
+        # It does not make sense to do this for PR builds, nor do contributors
+        # have permission to do. We can't write attestations to `php/pie` in an
+        # unprivileged context, otherwise anyone could send a PR with malicious
+        # code, which would store attestation that `php/pie` built the PHAR, and
+        # it would look genuine. So this should NOT run for PR builds.
+        if: github.event_name != 'pull_request'
         uses: actions/attest-build-provenance@v1
         with:
           subject-path: '${{ github.workspace }}/pie.phar'