Skip to content

Commit 17e5db9

Browse files
committed
chore(.github/workflows/release.yml): add custom SLSA provenance and SPDX file upload to release workflow
Signed-off-by: Gaius <[email protected]>
1 parent efb7c75 commit 17e5db9

1 file changed

Lines changed: 42 additions & 9 deletions

File tree

.github/workflows/release.yml

Lines changed: 42 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -64,12 +64,45 @@ jobs:
6464
provenance:
6565
needs: [goreleaser]
6666
permissions:
67-
actions: read # To read the workflow path.
68-
id-token: write # To sign the provenance.
69-
contents: write # To add assets to a release.
70-
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
71-
with:
72-
base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
73-
upload-tag-name: "${{ needs.goreleaser.outputs.tag_name }}"
74-
upload-assets: true # upload to a new release
75-
draft-release: true
67+
actions: read
68+
id-token: write
69+
contents: write
70+
runs-on: ubuntu-latest
71+
steps:
72+
- name: Generate SLSA Provenance
73+
id: slsa
74+
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
75+
with:
76+
base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
77+
upload-assets: false
78+
79+
- name: Upload SLSA Provenance Attestation to Release
80+
env:
81+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
82+
TAG_NAME: ${{ needs.goreleaser.outputs.tag_name }}
83+
run: |
84+
set -euxo pipefail
85+
PROVENANCE_FILE="multiple.intoto.jsonl"
86+
SPDX_FILES="*.spdx.json"
87+
88+
files_to_upload=()
89+
if [ -f "$PROVENANCE_FILE" ]; then
90+
files_to_upload+=("$PROVENANCE_FILE")
91+
echo "Found provenance file: $PROVENANCE_FILE"
92+
else
93+
echo "Provenance '$PROVENANCE_FILE' cannot be found."
94+
exit 0
95+
fi
96+
97+
found_spdx=$(find . -maxdepth 1 -name '*.spdx.json' -print)
98+
if [ -n "$found_spdx" ]; then
99+
while IFS= read -r file; do
100+
files_to_upload+=("$file")
101+
echo "Found SPDX file: $file"
102+
done <<< "$found_spdx"
103+
else
104+
echo "$SPDX_FILES cannot be found."
105+
exit 0
106+
fi
107+
108+
gh release upload "$TAG_NAME" "${files_to_upload[@]}" --clobber

0 commit comments

Comments
 (0)