From 3774e58848f5079c89c179b445cdf0e0541f881b Mon Sep 17 00:00:00 2001 From: Mick Grove Date: Thu, 2 Apr 2026 08:01:13 -0700 Subject: [PATCH] GitHub Action fix for PyPi publishing and SLSA Provenance --- .github/workflows/pypi.yml | 1 + .github/workflows/release.yml | 24 ++++++++++++++++++++++-- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml index d6aa187..3994406 100644 --- a/.github/workflows/pypi.yml +++ b/.github/workflows/pypi.yml @@ -145,3 +145,4 @@ jobs: with: packages-dir: dist-pypi verbose: true + attestations: false diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a605bd6..7ae5fc5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -457,8 +457,28 @@ jobs: uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0 with: base64-subjects: "${{ needs.hash.outputs.hashes }}" - upload-assets: true - upload-tag-name: "${{ needs.release.outputs.tag }}" + upload-assets: false + + upload-provenance: + name: Upload provenance to release + needs: [provenance, release] + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - name: Download provenance artifact + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + with: + name: ${{ needs.provenance.outputs.provenance-name }} + - name: Upload to release + env: + GH_TOKEN: ${{ github.token }} + TAG: ${{ needs.release.outputs.tag }} + PROVENANCE_FILE: ${{ needs.provenance.outputs.provenance-name }} + run: | + gh release upload "${TAG}" "${PROVENANCE_FILE}" \ + --repo "${{ github.repository }}" \ + --clobber # ──────────────── Publish Docker image ──────────────── publish-docker: