build: adding provenance steps to manual publish workflow

launchdarkly · Jan 24, 2024 · 4e10535 · 4e10535
1 parent ea654f2
commit 4e10535
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/.github/workflows/manual-publish.yml b/.github/workflows/manual-publish.yml
@@ -14,6 +14,8 @@ jobs:
  permissions:
  id-token: write
  contents: read
+ outputs:
+ package-hashes: ${{ steps.build.outputs.package-hashes}}
  steps:
  - uses: actions/checkout@v4
 
@@ -31,8 +33,23 @@ jobs:
  ssm_parameter_pairs: '/production/common/releasing/pypi/token = PYPI_AUTH_TOKEN'
 
  - uses: ./.github/actions/build
+ id: build
 
  - uses: ./.github/actions/publish
  with:
  token: ${{env.PYPI_AUTH_TOKEN}}
  dry_run: ${{ inputs.dry_run }}
+
+ release-provenance:
+ needs: [ 'build-publish' ]
+ runs-on: ubuntu-latest
+ permissions:
+ actions: read
+ id-token: write
+ contents: write
+ uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.7.0
+ with:
+ base64-subjects: "${{ needs.build-publish.outputs.package-hashes }}"
+ upload-assets: true
+ upload-tag-name: TBD
+