Do not generate provenance on PR builds

It does not make sense to do so; nor do PR submitters have permission to do so. We can't write attestations to `php/pie` in an unprivileged context, otherwise anyone could send a PR with malicious code, store attestation that `php/pie` built the PHAR, and it would look genuine.
php · Nov 27, 2024 · 8263560 · 8263560
1 parent 147696d
commit 8263560
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/.github/workflows/build-phar.yml b/.github/workflows/build-phar.yml
@@ -47,7 +47,13 @@ jobs:
         run: box compile
       - name: Check the PHAR executes
         run: php pie.phar --version
+      # It does not make sense to do this for PR builds, not do contributors
+      # have permission to do. We can't write attestations to `php/pie` in an
+      # unprivileged context, otherwise anyone could send a PR with malicious
+      # code, which would store attestation that `php/pie` built the PHAR, and
+      # it would look genuine. So this should NOT run for PR builds.
       - name: Generate build provenance attestation
+        if: github.event_name != 'pull_request'
         uses: actions/attest-build-provenance@v1
         with:
           subject-path: '${{ github.workspace }}/pie.phar'