From 868383e0e501be2693248266b990f54776c409e4 Mon Sep 17 00:00:00 2001
From: Tom Stellard <tstellar@redhat.com>
Date: Wed, 3 Dec 2025 10:26:00 -0800
Subject: [PATCH 1/4] workflows/release-binaries: Use upload-release-artifact
 action for uploading

---
 .github/workflows/release-binaries.yml | 56 ++++++++++----------------
 1 file changed, 21 insertions(+), 35 deletions(-)

diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml
index a8bae830fc609..4e44f2d62aa45 100644
--- a/.github/workflows/release-binaries.yml
+++ b/.github/workflows/release-binaries.yml
@@ -181,6 +181,9 @@ jobs:
     needs: prepare
     if: github.repository_owner == 'llvm'
     runs-on: ${{ needs.prepare.outputs.build-runs-on }}
+    outputs:
+      digest: ${{ steps.digest.outputs.digest }}
+      artifact-id: ${{ steps.artifact-upload.outputs.artifact-id }}
     steps:
 
     - name: Checkout LLVM
@@ -215,8 +218,17 @@ jobs:
         ninja -v -C ${{ steps.setup-stage.outputs.build-prefix }}/build stage2-package
         release_dir=`find ${{ steps.setup-stage.outputs.build-prefix }}/build -iname 'stage2-bins'`
         mv $release_dir/${{ needs.prepare.outputs.release-binary-filename }} .
-    
+
+    - name: Generate sha256 digest for binaries
+      id: digest
+      shell: bash
+      env:
+        RELEASE_BINARY_FILENAME: ${{ needs.prepare.outputs.release-binary-filename }}
+      run: |
+          echo "digest=$(cat $RELEASE_BINARY_FILENAME | sha256sum | cut -d ' ' -f 1)" >> $GITHUB_OUTPUT
+
     - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      id: artifact-upload
       with:
         name: ${{ runner.os }}-${{ runner.arch }}-release-binary
         # Due to path differences on Windows when running in bash vs running on node,
@@ -249,41 +261,15 @@ jobs:
       uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
       with:
         sparse-checkout: |
+          .github/workflows/upload-release-artifact
           llvm/utils/release/github-upload-release.py
           llvm/utils/git/requirements.txt
         sparse-checkout-cone-mode: false
 
-    - name: 'Download artifact'
-      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
-      with:
-        pattern: '*-release-binary'
-        merge-multiple: true
-
-    - name: Attest Build Provenance
-      id: provenance
-      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
-      with:
-        subject-path: ${{ needs.prepare.outputs.release-binary-filename }}
-
-    - name: Rename attestation file
-      run:
-        mv ${{ steps.provenance.outputs.bundle-path }} ${{ needs.prepare.outputs.release-binary-filename }}.jsonl
-
-    - name: Upload Build Provenance
-      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
-      with:
-        name: ${{ needs.prepare.outputs.release-binary-filename }}-attestation
-        path: ${{ needs.prepare.outputs.release-binary-filename }}.jsonl
-
-    - name: Install Python Requirements
-      run: |
-        pip install --require-hashes -r ./llvm/utils/git/requirements.txt
-
-    - name: Upload Release
-      shell: bash
-      run: |
-        ./llvm/utils/release/github-upload-release.py \
-        --token ${{ github.token }} \
-        --release ${{ needs.prepare.outputs.release-version }} \
-        upload \
-        --files ${{ needs.prepare.outputs.release-binary-filename }}*
+      - name: Upload Artifacts
+        uses: ./.github/workflows/upload-release-artifact
+        with:
+          artifact-id: ${{ needs.build-release-package.outputs.artifact-id }}
+          attestation-name: ${{ needs.prepare.outputs.release-binary-filename }}
+          digest: ${{ needs.build-release-package.outputs.digest }}
+          upload: true

From 286ced703b508afcf621b1627cc60026048687f1 Mon Sep 17 00:00:00 2001
From: Tom Stellard <tstellar@redhat.com>
Date: Thu, 4 Dec 2025 17:39:40 -0800
Subject: [PATCH 2/4] Fix formatting

---
 .github/workflows/release-binaries.yml | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml
index 4e44f2d62aa45..0aaf9f663c908 100644
--- a/.github/workflows/release-binaries.yml
+++ b/.github/workflows/release-binaries.yml
@@ -257,14 +257,14 @@ jobs:
       attestations: write # For artifact attestations
 
     steps:
-    - name: Checkout Release Scripts
-      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
-      with:
-        sparse-checkout: |
-          .github/workflows/upload-release-artifact
-          llvm/utils/release/github-upload-release.py
-          llvm/utils/git/requirements.txt
-        sparse-checkout-cone-mode: false
+      - name: Checkout Release Scripts
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        with:
+          sparse-checkout: |
+            .github/workflows/upload-release-artifact
+            llvm/utils/release/github-upload-release.py
+            llvm/utils/git/requirements.txt
+          sparse-checkout-cone-mode: false
 
       - name: Upload Artifacts
         uses: ./.github/workflows/upload-release-artifact

From 492effb61229c0d6e19f557b1838d92766817a6b Mon Sep 17 00:00:00 2001
From: Tom Stellard <tstellar@redhat.com>
Date: Fri, 5 Dec 2025 16:36:57 -0800
Subject: [PATCH 3/4] Enable attestation creation

---
 .github/workflows/release-binaries.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml
index 0aaf9f663c908..785396bad987f 100644
--- a/.github/workflows/release-binaries.yml
+++ b/.github/workflows/release-binaries.yml
@@ -248,8 +248,7 @@ jobs:
       - prepare
       - build-release-package
     if: >-
-      github.event_name != 'pull_request' &&
-      needs.prepare.outputs.upload == 'true'
+      github.event_name != 'pull_request'
     runs-on: ubuntu-24.04
     permissions:
       contents: write # For release uploads
@@ -272,4 +271,4 @@ jobs:
           artifact-id: ${{ needs.build-release-package.outputs.artifact-id }}
           attestation-name: ${{ needs.prepare.outputs.release-binary-filename }}
           digest: ${{ needs.build-release-package.outputs.digest }}
-          upload: true
+          upload: ${{ needs.prepare.outputs.upload }}

From 0831165335c40dc4bf22f5080138e306db2fc1d8 Mon Sep 17 00:00:00 2001
From: Tom Stellard <tstellar@redhat.com>
Date: Sat, 6 Dec 2025 05:28:12 -0800
Subject: [PATCH 4/4] fix attestation

---
 .github/workflows/release-binaries.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml
index 785396bad987f..fefa6e1ffb842 100644
--- a/.github/workflows/release-binaries.yml
+++ b/.github/workflows/release-binaries.yml
@@ -269,6 +269,6 @@ jobs:
         uses: ./.github/workflows/upload-release-artifact
         with:
           artifact-id: ${{ needs.build-release-package.outputs.artifact-id }}
-          attestation-name: ${{ needs.prepare.outputs.release-binary-filename }}
+          attestation-name: ${{ runner.os }}-${{ runner.arch }}-release-binary-attestation
           digest: ${{ needs.build-release-package.outputs.digest }}
           upload: ${{ needs.prepare.outputs.upload }}