4949 fail-fast : false
5050 matrix :
5151 include : ${{ fromJSON(needs.path-filter.outputs.package-matrix) }}
52+ outputs :
53+ hashes : ${{ steps.hashes.outputs.hashes }}
5254 steps :
5355 - uses : actions/checkout@v4
5456 with :
@@ -67,23 +69,33 @@ jobs:
6769 rye sync
6870 rye build
6971name : " Generate hashes"
70- id : hash
72+ id : hashes
7173 run : |
72- cd dist && echo "hashes =$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
73- echo "hashes_ ${{ matrix.package }}=$(sha256sum * | base64 -w0)"
74+ cd dist && echo "hash_${{ matrix.package }} =$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
75+ echo "hash_ ${{ matrix.package }}=$(sha256sum * | base64 -w0)"
7476uses : actions/upload-artifact@v4
7577 with :
7678 name : build-${{ matrix.package }}
7779 path : ./dist
78- - uses : actions/checkout@v4
79- with :
80- ref : ${{ github.head_ref }}
81- - uses : ./.github/actions/provenance
82- with :
83- subjects : " ${{ steps.hash.outputs.hashes }}"
84- tag : ${{ inputs.tag }}
85- provenance-name : ${{ matrix.package }}.intoto.jsonl
86-
80+ provenance :
81+ needs : ['path-filter', 'build']
82+ permissions :
83+ actions : read
84+ contents : write
85+ id-token : write # Needed to access the workflow's OIDC identity.
86+ strategy :
87+ fail-fast : false
88+ matrix :
89+ include : ${{ fromJSON(needs.path-filter.outputs.package-matrix) }}
90+ uses : slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
91+ with :
92+ base64-subjects : ${{ needs.build.outputs.hashes[format('hashes_{}', matrix.package)] }}
93+ # base64-subjects: ${{ needs.build.outputs.hashes.hash_lbox-clients }}
94+ upload-assets : true
95+ upload-tag-name : ${{ inputs.tag }}
96+ provenance-name : ${{ matrix.package }}.intoto.jsonl
97+
98+
8799 test-build :
88100 needs : ['path-filter']
89101 if : ${{ needs.path-filter.outputs.lbox == 'true' }}
0 commit comments