diff --git a/.github/actions/provenance/action.yml b/.github/actions/provenance/action.yml index ea809724c..c1c6b8231 100644 --- a/.github/actions/provenance/action.yml +++ b/.github/actions/provenance/action.yml @@ -4,6 +4,12 @@ inputs: subjects: required: true type: string + tag: + required: true + type: string + provenance-name: + required: true + type: string runs: using: "composite" steps: @@ -12,4 +18,5 @@ runs: with: base64-subjects: "${{ inputs.subjects }}" upload-assets: true - upload-tag-name: v.6.0.0 # Tag from the initiation of the workflow \ No newline at end of file + upload-tag-name: ${{ inputs.tag }} + provenance-name: ${{ inputs.provenance-name }} diff --git a/.github/workflows/lbox-publish.yml b/.github/workflows/lbox-publish.yml index 782ea22cf..8f0feb143 100644 --- a/.github/workflows/lbox-publish.yml +++ b/.github/workflows/lbox-publish.yml @@ -41,16 +41,19 @@ jobs: build: runs-on: ubuntu-latest needs: ['path-filter', 'test-build'] - outputs: - hashes: ${{ steps.hash.outputs.hashes_lbox-clients }} + permissions: + actions: read + contents: write + id-token: write # Needed to access the workflow's OIDC identity. strategy: fail-fast: false matrix: include: ${{ fromJSON(needs.path-filter.outputs.package-matrix) }} + outputs: + hashes: ${{ steps.output-hashes.outputs.hashes }} steps: - uses: actions/checkout@v4 with: - # ref: ${{ inputs.tag }} ref: ${{ inputs.tag }} - name: Install the latest version of rye uses: eifinger/setup-rye@v2 @@ -66,27 +69,58 @@ jobs: rye sync rye build - name: "Generate hashes" - id: hash + id: hashes run: | - cd dist && echo "hashes_${{ matrix.package }}=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT - echo "hashes_${{ matrix.package }}=$(sha256sum * | base64 -w0)" + cd dist && echo "hash_${{ matrix.package }}=$(sha256sum * | base64 -w0)" >> $GITHUB_ENV + echo "hash_${{ matrix.package }}=$(sha256sum * | base64 -w0)" - uses: actions/upload-artifact@v4 with: name: build-${{ matrix.package }} - path: ./dist - provenance_python: - needs: [build] + path: ./dist + - name: "Output hashes" + id: output-hashes + run: | + hashes="" + while IFS= read -r line; do + if [[ $line == hash_* ]]; then + value=$(echo "$line" | cut -d'=' -f2) + hashes="$hashes$value," + fi + done < "$GITHUB_ENV" + # Remove the trailing comma + hashes="${hashes%,}" + echo "hashes=${hashes}" >> $GITHUB_OUTPUT + debug: + runs-on: ubuntu-latest + needs: ['path-filter', 'build'] + strategy: + fail-fast: false + matrix: + include: ${{ fromJSON(needs.path-filter.outputs.package-matrix) }} + steps: + - name: "Print hashes" + run: | + echo "output hashes ${{ needs.build.outputs.hashes[format('hashes_{}', matrix.package)] }}" + + provenance: + needs: ['path-filter', 'build'] permissions: actions: read contents: write id-token: write # Needed to access the workflow's OIDC identity. + strategy: + fail-fast: false + matrix: + include: ${{ fromJSON(needs.path-filter.outputs.package-matrix) }} uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 with: - base64-subjects: "${{ needs.build.outputs.hashes }}" + base64-subjects: ${{ needs.build.outputs.hashes[format('hashes_{}', matrix.package)] }} + # base64-subjects: ${{ needs.build.outputs.hashes.hash_lbox-clients }} upload-assets: true - upload-tag-name: ${{ inputs.tag }} # Tag from the initiation of the workflow - provenance-name: lbox-clients.intoto.jsonl - + upload-tag-name: ${{ inputs.tag }} + provenance-name: ${{ matrix.package }}.intoto.jsonl + + test-build: needs: ['path-filter'] if: ${{ needs.path-filter.outputs.lbox == 'true' }}