From fe880a3015258b3fabffd197749ecf6cb058a496 Mon Sep 17 00:00:00 2001
From: Andy Feller <andyfeller@github.com>
Date: Wed, 29 May 2024 16:18:18 -0400
Subject: [PATCH] Ensure signed RPMs have attestations

Thanks to @malancas for highlighting issue ordering of RPM signing and attestations!  Now, all artifacts should have attestations appropriately generated
---
 .github/workflows/deployment.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml
index 21811ea3c..00948b50f 100644
--- a/.github/workflows/deployment.yml
+++ b/.github/workflows/deployment.yml
@@ -277,11 +277,6 @@ jobs:
           rm -rf dist
           mkdir dist
           mv -v {linux,macos,windows}/gh_* dist/
-      - name: Attest release artifacts
-        if: inputs.environment == 'production'
-        uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
-        with:
-          subject-path: "dist/gh_*"
       - name: Install packaging dependencies
         run: sudo apt-get install -y rpm reprepro
       - name: Set up GPG
@@ -302,6 +297,11 @@ jobs:
         run: |
           cp script/rpmmacros ~/.rpmmacros
           rpmsign --addsign dist/*.rpm
+      - name: Attest release artifacts
+        if: inputs.environment == 'production'
+        uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
+        with:
+          subject-path: "dist/gh_*"
       - name: Run createrepo
         env:
           GPG_SIGN: ${{ inputs.environment == 'production' }}