@@ -67,23 +67,45 @@ jobs:
6767 rye sync
6868 rye build
6969name : " Generate hashes"
70- id : hash
70+ id : hashes
7171 run : |
72- cd dist && echo "hashes =$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
73- echo "hashes_ ${{ matrix.package }}=$(sha256sum * | base64 -w0)"
72+ cd dist && echo "hash_${{ matrix.package }} =$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
73+ echo "hash_ ${{ matrix.package }}=$(sha256sum * | base64 -w0)"
7474uses : actions/upload-artifact@v4
7575 with :
7676 name : build-${{ matrix.package }}
7777 path : ./dist
78- - uses : actions/checkout@v4
79- with :
80- ref : ${{ github.head_ref }}
81- - uses : ./.github/actions/provenance
82- with :
83- subjects : " ${{ steps.hash.outputs.hashes }}"
84- tag : ${{ inputs.tag }}
85- provenance-name : ${{ matrix.package }}.intoto.jsonl
86-
78+ debug :
79+ runs-on : ubuntu-latest
80+ needs : ['path-filter', 'build']
81+ strategy :
82+ fail-fast : false
83+ matrix :
84+ include : ${{ fromJSON(needs.path-filter.outputs.package-matrix) }}
85+ steps :
86+ - name : " Print hashes"
87+ run : |
88+ echo "output hashes ${{ needs.build.outputs.hashes[format('hashes_{}', matrix.package)] }}"
89+
90+ provenance :
91+ needs : ['path-filter', 'build']
92+ permissions :
93+ actions : read
94+ contents : write
95+ id-token : write # Needed to access the workflow's OIDC identity.
96+ strategy :
97+ fail-fast : false
98+ matrix :
99+ include : ${{ fromJSON(needs.path-filter.outputs.package-matrix) }}
100+ uses : slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
101+ with :
102+ base64-subjects : ${{ needs.build.outputs.hashes[format('hashes_{}', matrix.package)] }}
103+ # base64-subjects: ${{ needs.build.outputs.hashes.hash_lbox-clients }}
104+ upload-assets : true
105+ upload-tag-name : ${{ inputs.tag }}
106+ provenance-name : ${{ matrix.package }}.intoto.jsonl
107+
108+
87109 test-build :
88110 needs : ['path-filter']
89111 if : ${{ needs.path-filter.outputs.lbox == 'true' }}
0 commit comments