From b9cc6ab14d21567b0eb5fa54f5a554d90deb0781 Mon Sep 17 00:00:00 2001
From: Val Brodsky <vbrodsky@labelbox.com>
Date: Wed, 30 Oct 2024 09:15:01 -0700
Subject: [PATCH 1/4] Update the provenance action to include tag, etc., all
 needed params

---
 .github/actions/provenance/action.yml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/actions/provenance/action.yml b/.github/actions/provenance/action.yml
index ea809724c..c1c6b8231 100644
--- a/.github/actions/provenance/action.yml
+++ b/.github/actions/provenance/action.yml
@@ -4,6 +4,12 @@ inputs:
   subjects:
     required: true
     type: string   
+  tag:
+    required: true
+    type: string
+  provenance-name:
+    required: true
+    type: string
 runs:
   using: "composite"
   steps:
@@ -12,4 +18,5 @@ runs:
       with:
         base64-subjects: "${{ inputs.subjects }}"
         upload-assets: true
-        upload-tag-name: v.6.0.0 # Tag from the initiation of the workflow  
\ No newline at end of file
+        upload-tag-name: ${{ inputs.tag }}
+        provenance-name: ${{ inputs.provenance-name }}

From 58d2fca7df09d2eb96b6719856119c0dfe9d75a4 Mon Sep 17 00:00:00 2001
From: Val Brodsky <vbrodsky@labelbox.com>
Date: Wed, 30 Oct 2024 09:29:16 -0700
Subject: [PATCH 2/4] Update the lbox publish workflow to publish lbox packages
 dynamically

---
 .github/workflows/lbox-publish.yml | 31 ++++++++++++++----------------
 1 file changed, 14 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/lbox-publish.yml b/.github/workflows/lbox-publish.yml
index 782ea22cf..c9a4bffab 100644
--- a/.github/workflows/lbox-publish.yml
+++ b/.github/workflows/lbox-publish.yml
@@ -41,8 +41,10 @@ jobs:
   build:
     runs-on: ubuntu-latest
     needs: ['path-filter', 'test-build']
-    outputs:
-      hashes: ${{ steps.hash.outputs.hashes_lbox-clients }}
+    permissions:
+      actions: read
+      contents: write
+      id-token: write # Needed to access the workflow's OIDC identity.
     strategy:
       fail-fast: false
       matrix: 
@@ -50,7 +52,6 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          # ref: ${{ inputs.tag }}
           ref: ${{ inputs.tag }}
       - name: Install the latest version of rye
         uses: eifinger/setup-rye@v2
@@ -68,24 +69,20 @@ jobs:
       - name: "Generate hashes"
         id: hash
         run: |
-          cd dist && echo "hashes_${{ matrix.package }}=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT          
+          cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT          
           echo "hashes_${{ matrix.package }}=$(sha256sum * | base64 -w0)"
       - uses: actions/upload-artifact@v4
         with:
           name: build-${{ matrix.package }}
-          path: ./dist          
-  provenance_python:
-    needs: [build]
-    permissions:
-      actions: read
-      contents: write
-      id-token: write # Needed to access the workflow's OIDC identity.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
-    with:
-      base64-subjects: "${{ needs.build.outputs.hashes }}"
-      upload-assets: true
-      upload-tag-name: ${{ inputs.tag }} # Tag from the initiation of the workflow
-      provenance-name: lbox-clients.intoto.jsonl
+          path: ./dist
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.head_ref }}
+      - uses: ./.github/actions/provenance
+        with:
+          subjects: "${{ steps.hash.outputs.hashes }}"
+          tag: ${{ inputs.tag }}
+          provenance-name: ${{ matrix.package }}.intoto.jsonl
                 
   test-build:
     needs: ['path-filter']

From cd90be8ba0e586ab4bd5bc476507c03a79993f17 Mon Sep 17 00:00:00 2001
From: Val Brodsky <vbrodsky@labelbox.com>
Date: Thu, 31 Oct 2024 17:09:56 -0700
Subject: [PATCH 3/4] Dealing with provenance

---
 .github/workflows/lbox-publish.yml | 46 ++++++++++++++++++++++--------
 1 file changed, 34 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/lbox-publish.yml b/.github/workflows/lbox-publish.yml
index c9a4bffab..eaa504aae 100644
--- a/.github/workflows/lbox-publish.yml
+++ b/.github/workflows/lbox-publish.yml
@@ -67,23 +67,45 @@ jobs:
           rye sync
           rye build
       - name: "Generate hashes"
-        id: hash
+        id: hashes
         run: |
-          cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT          
-          echo "hashes_${{ matrix.package }}=$(sha256sum * | base64 -w0)"
+          cd dist && echo "hash_${{ matrix.package }}=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT          
+          echo "hash_${{ matrix.package }}=$(sha256sum * | base64 -w0)"
       - uses: actions/upload-artifact@v4
         with:
           name: build-${{ matrix.package }}
           path: ./dist
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.head_ref }}
-      - uses: ./.github/actions/provenance
-        with:
-          subjects: "${{ steps.hash.outputs.hashes }}"
-          tag: ${{ inputs.tag }}
-          provenance-name: ${{ matrix.package }}.intoto.jsonl
-                
+  debug:
+    runs-on: ubuntu-latest
+    needs: ['path-filter', 'build']
+    strategy:
+      fail-fast: false
+      matrix: 
+        include: ${{ fromJSON(needs.path-filter.outputs.package-matrix) }}
+    steps:
+      - name: "Print hashes"
+        run: |
+          echo "output hashes ${{ needs.build.outputs.hashes[format('hashes_{}', matrix.package)] }}"
+
+  provenance:
+    needs: ['path-filter', 'build']
+    permissions:
+      actions: read
+      contents: write
+      id-token: write # Needed to access the workflow's OIDC identity.
+    strategy:
+      fail-fast: false
+      matrix: 
+        include: ${{ fromJSON(needs.path-filter.outputs.package-matrix) }}
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    with:
+      base64-subjects: ${{ needs.build.outputs.hashes[format('hashes_{}', matrix.package)] }}
+      # base64-subjects: ${{ needs.build.outputs.hashes.hash_lbox-clients }}
+      upload-assets: true
+      upload-tag-name: ${{ inputs.tag }}
+      provenance-name: ${{ matrix.package }}.intoto.jsonl
+  
+  
   test-build:
     needs: ['path-filter']
     if: ${{ needs.path-filter.outputs.lbox == 'true' }}

From 7da9696fa58c6dca0421f05cce08a66f71b67c43 Mon Sep 17 00:00:00 2001
From: Val Brodsky <vbrodsky@labelbox.com>
Date: Fri, 1 Nov 2024 09:35:38 -0700
Subject: [PATCH 4/4] Another try

---
 .github/workflows/lbox-publish.yml | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/lbox-publish.yml b/.github/workflows/lbox-publish.yml
index eaa504aae..8f0feb143 100644
--- a/.github/workflows/lbox-publish.yml
+++ b/.github/workflows/lbox-publish.yml
@@ -49,6 +49,8 @@ jobs:
       fail-fast: false
       matrix: 
         include: ${{ fromJSON(needs.path-filter.outputs.package-matrix) }}
+    outputs:
+      hashes: ${{ steps.output-hashes.outputs.hashes }}
     steps:
       - uses: actions/checkout@v4
         with:
@@ -69,12 +71,25 @@ jobs:
       - name: "Generate hashes"
         id: hashes
         run: |
-          cd dist && echo "hash_${{ matrix.package }}=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT          
+          cd dist && echo "hash_${{ matrix.package }}=$(sha256sum * | base64 -w0)" >> $GITHUB_ENV          
           echo "hash_${{ matrix.package }}=$(sha256sum * | base64 -w0)"
       - uses: actions/upload-artifact@v4
         with:
           name: build-${{ matrix.package }}
           path: ./dist
+      - name: "Output hashes"
+        id: output-hashes
+        run: |
+          hashes=""
+          while IFS= read -r line; do
+            if [[ $line == hash_* ]]; then
+              value=$(echo "$line" | cut -d'=' -f2)
+              hashes="$hashes$value,"
+            fi
+          done < "$GITHUB_ENV"
+          # Remove the trailing comma
+          hashes="${hashes%,}"
+          echo "hashes=${hashes}" >> $GITHUB_OUTPUT
   debug:
     runs-on: ubuntu-latest
     needs: ['path-filter', 'build']