@@ -41,16 +41,17 @@ jobs:
4141 build :
4242 runs-on : ubuntu-latest
4343 needs : ['path-filter', 'test-build']
44- outputs :
45- hashes : ${{ steps.hash.outputs.hashes_lbox-clients }}
44+ permissions :
45+ actions : read
46+ contents : write
47+ id-token : write # Needed to access the workflow's OIDC identity.
4648 strategy :
4749 fail-fast : false
4850 matrix :
4951 include : ${{ fromJSON(needs.path-filter.outputs.package-matrix) }}
5052 steps :
5153 - uses : actions/checkout@v4
5254 with :
53- # ref: ${{ inputs.tag }}
5455 ref : ${{ inputs.tag }}
5556 - name : Install the latest version of rye
5657 uses : eifinger/setup-rye@v2
@@ -68,24 +69,17 @@ jobs:
6869name : " Generate hashes"
6970 id : hash
7071 run : |
71- cd dist && echo "hashes_${{ matrix.package }} =$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
72+ cd dist && echo "hashes =$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
7273 echo "hashes_${{ matrix.package }}=$(sha256sum * | base64 -w0)"
7374uses : actions/upload-artifact@v4
7475 with :
7576 name : build-${{ matrix.package }}
7677 path : ./dist
77- provenance_python :
78- needs : [build]
79- permissions :
80- actions : read
81- contents : write
82- id-token : write # Needed to access the workflow's OIDC identity.
83- uses : slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
84- with :
85- base64-subjects : " ${{ needs.build.outputs.hashes }}"
86- upload-assets : true
87- upload-tag-name : ${{ inputs.tag }} # Tag from the initiation of the workflow
88- provenance-name : lbox-clients.intoto.jsonl
78+ - uses : ./.github/actions/provenance
79+ with :
80+ subjects : " ${{ steps.hash.outputs.hashes }}"
81+ tag : ${{ inputs.tag }}
82+ provenance-name : ${{ matrix.package }}.intoto.jsonl
8983
9084 test-build :
9185 needs : ['path-filter']
0 commit comments