@@ -24,14 +24,13 @@ jobs:
2424
2525 permissions :
2626 contents : write
27- id-token : write # Needed for keyless signing
28- actions : read # Needed for provenance generation
27+ id-token : write # Needed for keyless signing
28+ actions : read # Needed for provenance generation
29+ packages : write # Add this permission for attestations
30+ attestations : write # Add permissions for attestations
2931
3032 steps :
31- - name : Harden the runner (Audit all outbound calls)
32- uses : step-security/harden-runner@v2
33- with :
34- egress-policy : audit
33+ # step-security/harden-runner does not (yet) run on windows, so do not use it
3534
3635 - name : Checkout
3736 uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
8281 }
8382 Get-Content -Raw git_hash.txt
8483
84+ name : Debug GitHub token and permissions
85+ run : |
86+ Write-Host "Checking GitHub token and permissions"
87+ # Don't print the actual token, just check if it exists
88+ if ([string]::IsNullOrEmpty("${{ secrets.GITHUB_TOKEN }}")) {
89+ Write-Host "::warning::GITHUB_TOKEN is empty or not accessible"
90+ } else {
91+ Write-Host "GITHUB_TOKEN is available"
92+ }
93+
94+ # Check if running in fork (which may have limited permissions)
95+ if ("${{ github.repository }}" -ne "${{ github.repository_owner }}/${{ github.event.repository.name }}") {
96+ Write-Host "::warning::Running in a fork which may have limited permissions"
97+ }
98+
8599name : Build installer
86100 run : |
87101 cd windows
@@ -90,6 +104,16 @@ jobs:
90104 ISCC.exe /dMyAppVersion=$env:VERSION ardupilot_methodic_configurator.iss
91105 ls Output
92106
107+ name : Generate GitHub Actions build provenance
108+ 109+ with :
110+ subject-path : windows/Output/*.exe
111+ subject-name : ' ardupilot_methodic_configurator'
112+ push-to-registry : false
113+ # Use the built-in token instead of secrets
114+ github-token : ${{ github.token }}
115+ show-summary : true
116+
93117 - name : Install Cosign
94118 uses : sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb
95119
@@ -103,20 +127,29 @@ jobs:
103127 $encoded = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("$($hash) $_"))
104128 $encoded
105129 }
106- echo "hashes=$(($hashes -join ','))" >> $env:GITHUB_OUTPUT
130+ $hashesJoined = $hashes -join ','
131+ "hashes=$hashesJoined" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append
107132
108133name : Store Executable Path
109134 id : exe_path
110135 run : |
111136 cd windows/Output
112137 $exePath = Get-ChildItem -Filter *.exe | Select-Object -First 1 -ExpandProperty FullName
113- echo "exe_path=$exePath" >> $env:GITHUB_OUTPUT
138+ "exe_path=$exePath" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append
114139
115140name : Install SLSA Verifier
116141 run : |
117- $version = "v2.5.1 "
142+ $version = "v2.7.0 "
118143 $url = "https://github.com/slsa-framework/slsa-verifier/releases/download/$version/slsa-verifier-windows-amd64.exe"
119- Invoke-WebRequest -Uri $url -OutFile slsa-verifier.exe
144+ Invoke-WebRequest -Uri $url -OutFile "slsa-verifier.exe"
145+
146+ # Verify the download was successful
147+ if (Test-Path "slsa-verifier.exe") {
148+ Write-Host "SLSA verifier downloaded successfully to $(Get-Location)\slsa-verifier.exe"
149+ } else {
150+ Write-Host "::error::Failed to download SLSA verifier"
151+ exit 1
152+ }
120153
121154name : Generate SLSA provenance
122155 uses : slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0
0 commit comments