4949 fail-fast : false
5050 matrix :
5151 include : ${{ fromJSON(needs.path-filter.outputs.package-matrix) }}
52+ outputs :
53+ hashes : ${{ steps.hashes.outputs.* }}
5254 steps :
5355 - uses : actions/checkout@v4
5456 with :
@@ -67,23 +69,41 @@ jobs:
6769 rye sync
6870 rye build
6971name : " Generate hashes"
70- id : hash
72+ id : hashes
7173 run : |
72- cd dist && echo "hashes =$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
73- echo "hashes_ ${{ matrix.package }}=$(sha256sum * | base64 -w0)"
74+ cd dist && echo "hash_${{ matrix.package }} =$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
75+ echo "hash_ ${{ matrix.package }}=$(sha256sum * | base64 -w0)"
7476uses : actions/upload-artifact@v4
7577 with :
7678 name : build-${{ matrix.package }}
7779 path : ./dist
78- - uses : actions/checkout@v4
79- with :
80- ref : ${{ github.head_ref }}
81- - uses : ./.github/actions/provenance
82- with :
83- subjects : " ${{ steps.hash.outputs.hashes }}"
84- tag : ${{ inputs.tag }}
85- provenance-name : ${{ matrix.package }}.intoto.jsonl
86-
80+ debug :
81+ runs-on : ubuntu-latest
82+ needs : ['build']
83+ steps :
84+ - name : " Print hashes"
85+ run : |
86+ echo "output hashes ${{ needs.build.outputs.hashes }}"
87+
88+ provenance :
89+ needs : ['path-filter', 'build']
90+ permissions :
91+ actions : read
92+ contents : write
93+ id-token : write # Needed to access the workflow's OIDC identity.
94+ strategy :
95+ fail-fast : false
96+ matrix :
97+ include : ${{ fromJSON(needs.path-filter.outputs.package-matrix) }}
98+ uses :
slsa-framework/slsa-github-generator/.github/workflows/[email protected] 99+ with :
100+ base64-subjects : ${{ needs.build.outputs.hashes[format('hashes_{}', matrix.package)] }}
101+ # base64-subjects: ${{ needs.build.outputs.hashes.hash_lbox-clients }}
102+ upload-assets : true
103+ upload-tag-name : ${{ inputs.tag }}
104+ provenance-name : ${{ matrix.package }}.intoto.jsonl
105+
106+
87107 test-build :
88108 needs : ['path-filter']
89109 if : ${{ needs.path-filter.outputs.lbox == 'true' }}
0 commit comments