@@ -41,16 +41,17 @@ jobs:
4141 build :
4242 runs-on : ubuntu-latest
4343 needs : ['path-filter', 'test-build']
44- outputs :
45- hashes : ${{ steps.hash.outputs.hashes_lbox-clients }}
44+ permissions :
45+ actions : read
46+ contents : write
47+ id-token : write # Needed to access the workflow's OIDC identity.
4648 strategy :
4749 fail-fast : false
4850 matrix :
4951 include : ${{ fromJSON(needs.path-filter.outputs.package-matrix) }}
5052 steps :
5153 - uses : actions/checkout@v4
5254 with :
53- # ref: ${{ inputs.tag }}
5455 ref : ${{ inputs.tag }}
5556 - name : Install the latest version of rye
5657 uses : eifinger/setup-rye@v2
@@ -68,24 +69,20 @@ jobs:
6869name : " Generate hashes"
6970 id : hash
7071 run : |
71- cd dist && echo "hashes_${{ matrix.package }} =$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
72+ cd dist && echo "hashes =$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
7273 echo "hashes_${{ matrix.package }}=$(sha256sum * | base64 -w0)"
7374uses : actions/upload-artifact@v4
7475 with :
7576 name : build-${{ matrix.package }}
76- path : ./dist
77- provenance_python :
78- needs : [build]
79- permissions :
80- actions : read
81- contents : write
82- id-token : write # Needed to access the workflow's OIDC identity.
83- uses :
slsa-framework/slsa-github-generator/.github/workflows/[email protected] 84- with :
85- base64-subjects : " ${{ needs.build.outputs.hashes }}"
86- upload-assets : true
87- upload-tag-name : ${{ inputs.tag }} # Tag from the initiation of the workflow
88- provenance-name : lbox-clients.intoto.jsonl
77+ path : ./dist
78+ - uses : actions/checkout@v4
79+ with :
80+ ref : ${{ github.head_ref }}
81+ - uses : ./.github/actions/provenance
82+ with :
83+ subjects : " ${{ steps.hash.outputs.hashes }}"
84+ tag : ${{ inputs.tag }}
85+ provenance-name : ${{ matrix.package }}.intoto.jsonl
8986
9087 test-build :
9188 needs : ['path-filter']
0 commit comments