File tree Expand file tree Collapse file tree 1 file changed +20
-11
lines changed Expand file tree Collapse file tree 1 file changed +20
-11
lines changed Original file line number Diff line number Diff line change @@ -67,23 +67,32 @@ jobs:
6767 rye sync
6868 rye build
6969name : " Generate hashes"
70- id : hash
70+ id : hashes
7171 run : |
72- cd dist && echo "hashes =$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
72+ cd dist && echo "${{ matrix.package }} =$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
7373 echo "hashes_${{ matrix.package }}=$(sha256sum * | base64 -w0)"
7474uses : actions/upload-artifact@v4
7575 with :
7676 name : build-${{ matrix.package }}
7777 path : ./dist
78- - uses : actions/checkout@v4
79- with :
80- ref : ${{ github.head_ref }}
81- - uses : ./.github/actions/provenance
82- with :
83- subjects : " ${{ steps.hash.outputs.hashes }}"
84- tag : ${{ inputs.tag }}
85- provenance-name : ${{ matrix.package }}.intoto.jsonl
86-
78+ provenance :
79+ needs : ['path-filter', 'build']
80+ permissions :
81+ actions : read
82+ contents : write
83+ id-token : write # Needed to access the workflow's OIDC identity.
84+ strategy :
85+ fail-fast : false
86+ matrix :
87+ include : ${{ fromJSON(needs.path-filter.outputs.package-matrix) }}
88+ uses : slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
89+ with :
90+ base64-subjects : ${{ needs.build.outputs['hashes_' + matrix.package] }}
91+ upload-assets : true
92+ upload-tag-name : ${{ inputs.tag }}
93+ provenance-name : ${{ matrix.package }}.intoto.jsonl
94+
95+
8796 test-build :
8897 needs : ['path-filter']
8998 if : ${{ needs.path-filter.outputs.lbox == 'true' }}
You can’t perform that action at this time.
0 commit comments