Skip to content

Commit 3550ddf

Browse files
author
Val Brodsky
committed
Dealing with provenance
1 parent 58d2fca commit 3550ddf

File tree

1 file changed

+32
-12
lines changed

1 file changed

+32
-12
lines changed

.github/workflows/lbox-publish.yml

Lines changed: 32 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,8 @@ jobs:
4949
fail-fast: false
5050
matrix:
5151
include: ${{ fromJSON(needs.path-filter.outputs.package-matrix) }}
52+
outputs:
53+
hashes: ${{ steps.hashes.outputs.* }}
5254
steps:
5355
- uses: actions/checkout@v4
5456
with:
@@ -67,23 +69,41 @@ jobs:
6769
rye sync
6870
rye build
6971
- name: "Generate hashes"
70-
id: hash
72+
id: hashes
7173
run: |
72-
cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
73-
echo "hashes_${{ matrix.package }}=$(sha256sum * | base64 -w0)"
74+
cd dist && echo "hash_${{ matrix.package }}=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
75+
echo "hash_${{ matrix.package }}=$(sha256sum * | base64 -w0)"
7476
- uses: actions/upload-artifact@v4
7577
with:
7678
name: build-${{ matrix.package }}
7779
path: ./dist
78-
- uses: actions/checkout@v4
79-
with:
80-
ref: ${{ github.head_ref }}
81-
- uses: ./.github/actions/provenance
82-
with:
83-
subjects: "${{ steps.hash.outputs.hashes }}"
84-
tag: ${{ inputs.tag }}
85-
provenance-name: ${{ matrix.package }}.intoto.jsonl
86-
80+
debug:
81+
runs-on: ubuntu-latest
82+
needs: ['build']
83+
steps:
84+
- name: "Print hashes"
85+
run: |
86+
echo "output hashes ${{ needs.build.outputs.hashes }}"
87+
88+
provenance:
89+
needs: ['path-filter', 'build']
90+
permissions:
91+
actions: read
92+
contents: write
93+
id-token: write # Needed to access the workflow's OIDC identity.
94+
strategy:
95+
fail-fast: false
96+
matrix:
97+
include: ${{ fromJSON(needs.path-filter.outputs.package-matrix) }}
98+
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
99+
with:
100+
base64-subjects: ${{ needs.build.outputs.hashes[format('hashes_{}', matrix.package)] }}
101+
# base64-subjects: ${{ needs.build.outputs.hashes.hash_lbox-clients }}
102+
upload-assets: true
103+
upload-tag-name: ${{ inputs.tag }}
104+
provenance-name: ${{ matrix.package }}.intoto.jsonl
105+
106+
87107
test-build:
88108
needs: ['path-filter']
89109
if: ${{ needs.path-filter.outputs.lbox == 'true' }}

0 commit comments

Comments
 (0)