@@ -67,23 +67,45 @@ jobs:
67
67
rye sync
68
68
rye build
69
69
- name : " Generate hashes"
70
- id : hash
70
+ id : hashes
71
71
run : |
72
- cd dist && echo "hashes =$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
73
- echo "hashes_ ${{ matrix.package }}=$(sha256sum * | base64 -w0)"
72
+ cd dist && echo "hash_${{ matrix.package }} =$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
73
+ echo "hash_ ${{ matrix.package }}=$(sha256sum * | base64 -w0)"
74
74
- uses : actions/upload-artifact@v4
75
75
with :
76
76
name : build-${{ matrix.package }}
77
77
path : ./dist
78
- - uses : actions/checkout@v4
79
- with :
80
- ref : ${{ github.head_ref }}
81
- - uses : ./.github/actions/provenance
82
- with :
83
- subjects : " ${{ steps.hash.outputs.hashes }}"
84
- tag : ${{ inputs.tag }}
85
- provenance-name : ${{ matrix.package }}.intoto.jsonl
86
-
78
+ debug :
79
+ runs-on : ubuntu-latest
80
+ needs : ['path-filter', 'build']
81
+ strategy :
82
+ fail-fast : false
83
+ matrix :
84
+ include : ${{ fromJSON(needs.path-filter.outputs.package-matrix) }}
85
+ steps :
86
+ - name : " Print hashes"
87
+ run : |
88
+ echo "output hashes ${{ needs.build.outputs.hashes[format('hashes_{}', matrix.package)] }}"
89
+
90
+ provenance :
91
+ needs : ['path-filter', 'build']
92
+ permissions :
93
+ actions : read
94
+ contents : write
95
+ id-token : write # Needed to access the workflow's OIDC identity.
96
+ strategy :
97
+ fail-fast : false
98
+ matrix :
99
+ include : ${{ fromJSON(needs.path-filter.outputs.package-matrix) }}
100
+ uses : slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
101
+ with :
102
+ base64-subjects : ${{ needs.build.outputs.hashes[format('hashes_{}', matrix.package)] }}
103
+ # base64-subjects: ${{ needs.build.outputs.hashes.hash_lbox-clients }}
104
+ upload-assets : true
105
+ upload-tag-name : ${{ inputs.tag }}
106
+ provenance-name : ${{ matrix.package }}.intoto.jsonl
107
+
108
+
87
109
test-build :
88
110
needs : ['path-filter']
89
111
if : ${{ needs.path-filter.outputs.lbox == 'true' }}
0 commit comments