@@ -64,12 +64,45 @@ jobs:
6464 provenance :
6565 needs : [goreleaser]
6666 permissions :
67- actions : read # To read the workflow path.
68- id-token : write # To sign the provenance.
69- contents : write # To add assets to a release.
70- uses :
slsa-framework/slsa-github-generator/.github/workflows/[email protected] 71- with :
72- base64-subjects : " ${{ needs.goreleaser.outputs.hashes }}"
73- upload-tag-name : " ${{ needs.goreleaser.outputs.tag_name }}"
74- upload-assets : true # upload to a new release
75- draft-release : true
67+ actions : read
68+ id-token : write
69+ contents : write
70+ runs-on : ubuntu-latest
71+ steps :
72+ - name : Generate SLSA Provenance
73+ id : slsa
74+ uses :
slsa-framework/slsa-github-generator/.github/workflows/[email protected] 75+ with :
76+ base64-subjects : " ${{ needs.goreleaser.outputs.hashes }}"
77+ upload-assets : false
78+
79+ - name : Upload SLSA Provenance Attestation to Release
80+ env :
81+ GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
82+ TAG_NAME : ${{ needs.goreleaser.outputs.tag_name }}
83+ run : |
84+ set -euxo pipefail
85+ PROVENANCE_FILE="multiple.intoto.jsonl"
86+ SPDX_FILES="*.spdx.json"
87+
88+ files_to_upload=()
89+ if [ -f "$PROVENANCE_FILE" ]; then
90+ files_to_upload+=("$PROVENANCE_FILE")
91+ echo "Found provenance file: $PROVENANCE_FILE"
92+ else
93+ echo "Provenance '$PROVENANCE_FILE' cannot be found."
94+ exit 0
95+ fi
96+
97+ found_spdx=$(find . -maxdepth 1 -name '*.spdx.json' -print)
98+ if [ -n "$found_spdx" ]; then
99+ while IFS= read -r file; do
100+ files_to_upload+=("$file")
101+ echo "Found SPDX file: $file"
102+ done <<< "$found_spdx"
103+ else
104+ echo "$SPDX_FILES cannot be found."
105+ exit 0
106+ fi
107+
108+ gh release upload "$TAG_NAME" "${files_to_upload[@]}" --clobber
0 commit comments