--- name: SLSA on: push: release: permissions: contents: write types: [published, released] permissions: contents: read jobs: build: outputs: hashes: ${{ steps.hash.outputs.hashes }} runs-on: ubuntu-latest steps: - run: echo "REPOSITORY_NAME=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" >> $GITHUB_ENV shell: bash - name: Checkout repository uses: actions/checkout@27135e314dd1818f797af1db9dae03a9f045786b # master - name: Build artifacts run: | find *.sh functions/* tests/* Dockerfile Vagrantfile -exec sha256sum {} \; > ${{ env.REPOSITORY_NAME }}.sha256 - name: Generate hashes shell: bash id: hash run: | echo "hashes=$(sha256sum ${{ env.REPOSITORY_NAME }}.sha256 | base64 -w0)" >> "$GITHUB_OUTPUT" - name: Upload ${{ env.REPOSITORY_NAME }}.sha256 uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: ${{ env.REPOSITORY_NAME }}.sha256 path: ${{ env.REPOSITORY_NAME }}.sha256 if-no-files-found: error retention-days: 5 provenance: needs: [build] permissions: actions: read id-token: write contents: write uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: ${{ startsWith(github.ref, 'refs/tags/') }} release: needs: [build, provenance] permissions: actions: read id-token: write contents: write runs-on: ubuntu-latest if: startsWith(github.ref, 'refs/tags/') steps: - run: echo "REPOSITORY_NAME=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" >> $GITHUB_ENV shell: bash - name: Download ${{ env.REPOSITORY_NAME }}.sha256 uses: actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281 # v2.1.1 with: name: ${{ env.REPOSITORY_NAME }}.sha256 - name: Upload asset uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 with: files: | ${{ env.REPOSITORY_NAME }}.sha256