--- name: SLSA on: push: release: permissions: contents: write types: [published, released] permissions: contents: read jobs: build: outputs: hashes: ${{ steps.hash.outputs.hashes }} runs-on: ubuntu-latest steps: - name: Harden Runner uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: egress-policy: audit - run: echo "REPOSITORY_NAME=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" >> $GITHUB_ENV shell: bash - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Build artifacts run: | find *.sh functions/* tests/* Dockerfile Vagrantfile -exec sha256sum {} \; > ${{ env.REPOSITORY_NAME }}.sha256 - name: Generate hashes shell: bash id: hash run: | echo "hashes=$(sha256sum ${{ env.REPOSITORY_NAME }}.sha256 | base64 -w0)" >> "$GITHUB_OUTPUT" - name: Upload ${{ env.REPOSITORY_NAME }}.sha256 uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: ${{ env.REPOSITORY_NAME }}.sha256 path: ${{ env.REPOSITORY_NAME }}.sha256 if-no-files-found: error retention-days: 5 provenance: needs: [build] permissions: actions: read id-token: write contents: write uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: ${{ startsWith(github.ref, 'refs/tags/') }} release: permissions: actions: read id-token: write contents: write needs: [build, provenance] runs-on: ubuntu-latest if: startsWith(github.ref, 'refs/tags/') steps: - run: echo "REPOSITORY_NAME=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" >> $GITHUB_ENV shell: bash - name: Download ${{ env.REPOSITORY_NAME }}.sha256 uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 with: name: ${{ env.REPOSITORY_NAME }}.sha256 - name: Upload asset uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v2.0.4 with: files: | ${{ env.REPOSITORY_NAME }}.sha256