@@ -41,16 +41,17 @@ jobs:
41
41
build :
42
42
runs-on : ubuntu-latest
43
43
needs : ['path-filter', 'test-build']
44
- outputs :
45
- hashes : ${{ steps.hash.outputs.hashes_lbox-clients }}
44
+ permissions :
45
+ actions : read
46
+ contents : write
47
+ id-token : write # Needed to access the workflow's OIDC identity.
46
48
strategy :
47
49
fail-fast : false
48
50
matrix :
49
51
include : ${{ fromJSON(needs.path-filter.outputs.package-matrix) }}
50
52
steps :
51
53
- uses : actions/checkout@v4
52
54
with :
53
- # ref: ${{ inputs.tag }}
54
55
ref : ${{ inputs.tag }}
55
56
- name : Install the latest version of rye
56
57
uses : eifinger/setup-rye@v2
@@ -68,24 +69,17 @@ jobs:
68
69
- name : " Generate hashes"
69
70
id : hash
70
71
run : |
71
- cd dist && echo "hashes_${{ matrix.package }} =$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
72
+ cd dist && echo "hashes =$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
72
73
echo "hashes_${{ matrix.package }}=$(sha256sum * | base64 -w0)"
73
74
- uses : actions/upload-artifact@v4
74
75
with :
75
76
name : build-${{ matrix.package }}
76
77
path : ./dist
77
- provenance_python :
78
- needs : [build]
79
- permissions :
80
- actions : read
81
- contents : write
82
- id-token : write # Needed to access the workflow's OIDC identity.
83
- uses : slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
84
- with :
85
- base64-subjects : " ${{ needs.build.outputs.hashes }}"
86
- upload-assets : true
87
- upload-tag-name : ${{ inputs.tag }} # Tag from the initiation of the workflow
88
- provenance-name : lbox-clients.intoto.jsonl
78
+ - uses : ./.github/actions/provenance
79
+ with :
80
+ subjects : " ${{ steps.hash.outputs.hashes }}"
81
+ tag : ${{ inputs.tag }}
82
+ provenance-name : ${{ matrix.package }}.intoto.jsonl
89
83
90
84
test-build :
91
85
needs : ['path-filter']
0 commit comments