Merge pull request #38 from XposedOrNot/feature/slsa-provenance-workflow #2

	name: Release with SLSA Provenance

	on:
	push:
	tags:
	- 'v*'

	permissions: read-all

	jobs:
	build:
	runs-on: ubuntu-latest
	outputs:
	hashes: ${{ steps.hash.outputs.hashes }}

	steps:
	- name: Checkout code
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

	- name: Create release artifacts
	run: \|
	# Create source tarball
	git archive --format=tar.gz --prefix=XposedOrNot-API-${GITHUB_REF#refs/tags/}/ ${GITHUB_REF#refs/tags/} > XposedOrNot-API-${GITHUB_REF#refs/tags/}.tar.gz

	- name: Generate artifact hash
	id: hash
	run: \|
	echo "hashes=$(sha256sum XposedOrNot-API-*.tar.gz \| base64 -w0)" >> "$GITHUB_OUTPUT"

	- name: Upload artifacts
	uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
	with:
	name: release-artifacts
	path: XposedOrNot-API-*.tar.gz
	if-no-files-found: error

	provenance:
	needs: [build]
	permissions:
	actions: read
	id-token: write
	contents: write
	uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
	with:
	base64-subjects: "${{ needs.build.outputs.hashes }}"
	upload-assets: true

	release:
	needs: [build, provenance]
	runs-on: ubuntu-latest
	permissions:
	contents: write

	steps:
	- name: Download artifacts
	uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
	with:
	name: release-artifacts

	- name: Create Release
	env:
	GH_TOKEN: ${{ github.token }}
	run: \|
	gh release create ${{ github.ref_name }} \
	--repo ${{ github.repository }} \
	--title "${{ github.ref_name }}" \
	--generate-notes \
	XposedOrNot-API-*.tar.gz

Provide feedback