diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3649f86cc37..f2a8cb69643 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,6 +14,8 @@ jobs: contents: write runs-on: ubuntu-latest timeout-minutes: 60 + outputs: + hashes: ${{ steps.hash.outputs.hashes }} steps: - name: Checkout uses: actions/checkout@v4.1.7 @@ -34,9 +36,34 @@ jobs: - name: Run GoReleaser uses: goreleaser/goreleaser-action@v6.0.0 + id: run-goreleaser with: distribution: goreleaser version: latest args: release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Generate subject + id: hash + env: + ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" + run: | + set -euo pipefail + hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0) + if test "$hashes" = ""; then # goreleaser < v1.13.0 + checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') + hashes=$(cat $checksum_file | base64 -w0) + fi + echo "hashes=$hashes" >> $GITHUB_OUTPUT + + provenance: + needs: [goreleaser] + permissions: + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + with: + base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" + upload-assets: true # upload to a new release