Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 30 additions & 5 deletions .github/workflows/main.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -230,16 +230,41 @@ jobs:
permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.
# write required even with upload-assets:false due to slsa-framework/slsa-github-generator#2044
contents: write

# Note: this _must_ be referenced by tag. See: https://github.com/slsa-framework/slsa-verifier/issues/12
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
with:
base64-subjects-as-file: "${{ needs.goreleaser.outputs.subjects-as-file }}"
provenance-name: "fga.intoto.jsonl"
upload-assets: true
upload-tag-name: ${{ github.ref_name }}
draft-release: true
# Don't let the generator attach the provenance:
# - it uses softprops/action-gh-release@v2.2.1, whose paginated draft lookup
# creates a duplicate draft once a repo has >100 releases (2 pages)
# - the provenance is still published as a workflow artifact, so the
# release-provenance job attaches it via `gh release upload` (by tag)
upload-assets: false
Comment thread
SoulPancake marked this conversation as resolved.

release-provenance:
Comment thread
SoulPancake marked this conversation as resolved.
needs: [ binary-provenance ]
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
contents: write # To add the provenance asset to the draft release.
steps:
- name: Download the provenance
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
name: ${{ needs.binary-provenance.outputs.provenance-name }}

- name: Attach provenance to the draft release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PROVENANCE: ${{ needs.binary-provenance.outputs.provenance-name }}
run: |
set -euo pipefail
gh release upload "$GITHUB_REF_NAME" "$PROVENANCE" \
--repo "$GITHUB_REPOSITORY" --clobber

image-provenance:
needs: [ goreleaser ]
Expand All @@ -258,7 +283,7 @@ jobs:
registry-password: ${{ secrets.DOCKERHUB_TOKEN }}

undraft-release:
needs: [ binary-provenance, image-provenance ]
needs: [ release-provenance, image-provenance ]
permissions:
contents: write
uses: openfga/.github/.github/workflows/undraft-release.yml@main
Expand Down
Loading