Add provenance support

Author: Val Brodsky

.github/workflows/lbox-publish.yml

@@ -44,6 +44,8 @@ jobs:
   build:
     runs-on: ubuntu-latest
     needs: ['path-filter', 'test-build']
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
     strategy:
       fail-fast: false
       matrix: 
@@ -66,10 +68,37 @@ jobs:
         run: |
           rye sync
           rye build
+      - name: "Generate hashes"
+        id: hash
+        run: |
+          cd dist && echo "hashes-${{matrix.package}}=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT          
       - uses: actions/upload-artifact@v4
         with:
           name: build-${{ matrix.package }}
           path: ./dist          
+  provenance_python:
+    needs: [path-filter, build]
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix: 
+        include: ${{ fromJSON(needs.path-filter.outputs.package-matrix) }}    
+    permissions:
+      actions: read
+      contents: write
+      id-token: write # Needed to access the workflow's OIDC identity.
+    steps:
+      - name: Use hashes output
+        id: use-hashes
+        run: |
+          HASH_VAR="hashes-${{ matrix.package }}"
+          echo "HASH_VAR=$HASH_VAR" >> $GITHUB_ENV
+          echo "Using hash: ${{ env.HASH_VAR }}"
+      - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+        with:
+          base64-subjects: "${{ env.HASH_VAR }}"
+          upload-assets: true
+          upload-tag-name: v.6.0.0 # Tag from the initiation of the workflow        
   test-build:
     needs: ['path-filter']
     if: ${{ needs.path-filter.outputs.lbox == 'true' }}