forked from mirrors/kingfisher
49 lines
1.3 KiB
YAML
49 lines
1.3 KiB
YAML
name: SLSA Provenance
|
|
|
|
on:
|
|
release:
|
|
types: [published]
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
# Compute SHA256 hashes of all release assets
|
|
hash:
|
|
name: Compute artifact hashes
|
|
runs-on: ubuntu-24.04
|
|
permissions:
|
|
contents: read
|
|
outputs:
|
|
hashes: ${{ steps.hash.outputs.hashes }}
|
|
steps:
|
|
- name: Download release assets
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
TAG_NAME: ${{ github.event.release.tag_name }}
|
|
run: |
|
|
set -euo pipefail
|
|
mkdir -p assets
|
|
gh release download "${TAG_NAME}" \
|
|
--repo "${{ github.repository }}" \
|
|
--dir assets
|
|
|
|
- name: Compute SHA256 hashes
|
|
id: hash
|
|
run: |
|
|
set -euo pipefail
|
|
cd assets
|
|
# Base64-encode the SHA256 hashes for SLSA provenance
|
|
echo "hashes=$(sha256sum -- * | base64 -w0)" >> "$GITHUB_OUTPUT"
|
|
|
|
# Generate SLSA provenance for the release artifacts
|
|
provenance:
|
|
name: Generate SLSA provenance
|
|
needs: [hash]
|
|
permissions:
|
|
actions: read
|
|
id-token: write
|
|
contents: write
|
|
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0
|
|
with:
|
|
base64-subjects: "${{ needs.hash.outputs.hashes }}"
|
|
upload-assets: true
|