@@ -64,12 +64,56 @@ jobs:
6464 provenance :
6565 needs : [goreleaser]
6666 permissions :
67- actions : read # To read the workflow path.
68- id-token : write # To sign the provenance.
69- contents : write # To add assets to a release.
67+ id-token : write
68+ contents : read
69+ actions : read
7070 uses : slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
7171 with :
7272 base64-subjects : " ${{ needs.goreleaser.outputs.hashes }}"
73- upload-tag-name : " ${{ needs.goreleaser.outputs.tag_name }}"
74- upload-assets : true # upload to a new release
75- draft-release : true
73+ upload-assets : true
74+
75+ upload-provenance :
76+ needs : [goreleaser, provenance]
77+ permissions :
78+ contents : write
79+ runs-on : ubuntu-latest
80+ steps :
81+ - name : Download SLSA provenance artifacts
82+ uses : actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
83+ with :
84+ pattern :
85+ multiple.intoto.jsonl
86+ *.spdx.json
87+
88+ - name : Upload SLSA Provenance Attestation to Release
89+ env :
90+ TAG_NAME : ${{ needs.goreleaser.outputs.tag_name }}
91+ run : |
92+ set -euxo pipefail
93+ PROVENANCE_FILE="multiple.intoto.jsonl"
94+ SPDX_FILES="*.spdx.json"
95+
96+ files_to_upload=()
97+ if [ -f "$PROVENANCE_FILE" ]; then
98+ files_to_upload+=("$PROVENANCE_FILE")
99+ else
100+ echo "Provenance cannot be found."
101+ exit 1
102+ fi
103+
104+ found_spdx=$(find . -maxdepth 1 -name '*.spdx.json' -print)
105+ if [ -n "$found_spdx" ]; then
106+ while IFS= read -r file; do
107+ files_to_upload+=("$file")
108+ done <<< "$found_spdx"
109+ else
110+ echo "$SPDX_FILES not found."
111+ exit 1
112+ fi
113+
114+ if [ ${#files_to_upload[@]} -eq 0 ]; then
115+ echo "No files to upload."
116+ exit 1
117+ fi
118+
119+ gh release upload "$TAG_NAME" "${files_to_upload[@]}" --clobber
0 commit comments